Posted by: David Harley | September 18, 2013

A Mac Trojan with Leverage

Another apparently-targeted Trojan flagged by Lysa Myers for Intego. The malware Intego calls OSX/Leverage.A is considered to be low risk as far as most Mac users are concerned (and in any case at the time of Lysa’s blog, the C&C server was down). The article does document some interesting features, though, and as usual is well worth reading:

  • Its technique for disguising itself as a photographic image (of two characters from the US drama Leverage, according to Graham Cluley)
  • The implications of the attack vector (unknown) in terms of whether Gatekeeper will provide an alert
  • The attempt to download another image that suggests a link with the Syrian Electronic Army. (Of course, that could be misdirection.)

The Trojan copies itself to /Users/Shared/UserEvent.app. Hashes:

  • MD5    6a36379b1da8919c1462f62deee666be
  • SHA-1 40b34e91cde683a567974750d1c5c9bcb09a87bb

According to VirusTotal, only Sophos was detecting it (apart from Intego, of course, as of this morning.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: