Right-to-left override (RLO) is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left. It is commonly used by Windows malware such as Bredolab and the high-profile Mahdi trojan from last year to hide the real extension of executable files. Check out this Krebs on Security post for more details on the trick.
We’ve spotted a malware for Mac using the RLO trick. It was submitted to VirusTotal last Friday.
The objective here is not as convoluted as the one described in Kreb’s post. Here it’s simply to hide the real extension. The malware could have just used “Recent New.pdf.app”. However OS X has already considered this and displays the real extension as a precaution.
The malware is written in Python and it uses py2app for distribution. Just like Hackback, it’s signed with an Apple Developer ID.
However, because of the RLO character, the usual file quarantine notification from OS X will be backwards just like the Krebs case.
The malware drops and open a decoy document on execution.
Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.
The malware connects to the following pages to obtain the address of its command and control server:
• http://www.youtube.com/watch?v=DZZ3tTTBiTs
• http://www.youtube.com/watch?v=ky4M9kxUM7Y
• http://hjdullink.nl/images/re.php
It parses for the address in the string “just something i made up for fun, check out my website at (address) bye bye”.
The YouTube page look like this:
Doing a Google search for the string reveals that there are other sites being abused besides those mentioned above.
The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.
The malware is detected by F-Secure as Backdoor:Python/Janicab.A.
Updated to add:
Here are the stats from one of the YouTube videos being used as a C&C locater:
The videos predate the Janicab.A binary by at least a month. Based on the stats, it seems likely there are earlier variants in the wild.
Leave a reply