Doctor Web has discovered a new scheme to spread malicious software for devices running Mac OS X. Trojan.Muxler (OSX/Revir) authors are behind the malignant design. To lure users attackers use pictures of the popular Russian model Irina Shayk.
The malicious code is placed into a ZIP-archive containing various photos, including Irina Shayk’s pictures. Archive samples have been uploaded to virustotal.com as Pictures and the Pictures and the Ariticle of Renzin Dorjee.zip and FHM Feb Cover Girl Irina Shayk H-Res Pics.zip. Currently Doctor Web doesn’t have complete information as to the archive spreading scheme but apparently it is a not spread widely.
When the archive contents is extracted, an application is saved on the disk in addition to photos. Its icon displayed in the Finder window is practically no different from other images. Intruders expect that a careless user may fail to distinguish the program icon from an image and launch it.
This executable file named FileAgent is a Trojan.Muxler.3 malware. It decrypts and executes a backdoor module detected by Dr.Web anti-virus software as BackDoor.Muxler.3 (OSX/Imuler). This module is copied to a file named Mdworker, located in the /tmp directory. When launched, Trojan.Muxler.3 displays an enlarged copy of a photo and removes itself.
The backdoor allows intruders to perform various commands to download and run programs, create Mac OS X desktop screenshots. In addition, Trojan.Muxler.3 downloads the CurlUpload file from the Internet and stores it in the /tmp folder. The file is detected by Dr.Web as Trojan.Muxler.2 and is used to upload various files from the infected machine to a remote server.
The program poses a threat to Mac OS X because the backdoor is used to control an infected machine. Intruders can take screenshots and thus monitor user activity, covertly run third-party applications ad transfer files stored on a hard drive in the compromised system to a remote server. Some of these files may contain sensitive information.
Leave a reply