Mac Trojan Masquerades as Chinese-Language PDF File

By Fahmida Y. Rashid  |  Posted 2011-09-25

Researchers have analyzed a new piece of malware that masquerades as a PDF document and executed malicious code when opened. What makes this Trojan unusual is that it targets Macs.

Sophos and F-Secure discovered the Trojan, which uses a "double extension" trick where a second file extension is added to the file to hide the fact that it is an executable. It's an old trick in the Windows world, and successfully tricks users because of the perception that PDF files are safer to open than other file types. Researchers believe this Trojan is still in the testing phase and the developers had submitted it to malware tracking site VirusTotal to see which major security product could detect it.

Most likely a proof of concept, it is "clunky, yet it can work," Intego's researchers wrote on the Mac Malware blog.

The Mac malware has two parts, a dropper file that downloads the actual backdoor Trojan which connects to a remote server and a Chinese-language PDF file about the Diaoyu Islands. Also known as Senkaku Islands, both China and Japan claim sovereignty over the island chain.

"Because the document is opened, users may believe that they have opened a harmless PDF rather than run a program," Graham Cluley, senior technology consultant at Sophos, wrote on Naked Security blog.

Instead, the Trojan is sending information collected from the infected system and executing instructions sent from the command-and-control server.

The malware itself doesn't exploit any known vulnerabilities in the operating system or installed software. Like the MacDefender fake antivirus that infected Mac users in May, this Trojan relies on social engineering tricks to dupe users into downloading and opening the file. While it is still a low-risk Trojan, it is a sign that malware authors are beginning to use Windows tricks to go after Mac users, Cluley said.


Rocket Fuel