OSX/Leverage.A new trojan for Mac OS X detected by Xprotect
New OS X Trojan found and blocked by Apple's XProtect
A new command-and-control Trojan for OS X appears to be associated with the Syrian Electronic Army.
Security company Intego recently found a new malware package for OS X, called OSX/Leverage.A, which appears to be yet another targeted command-and-control Trojan horse, this time with apparent associations with the Syrian Electronic Army; however, Apple has blocked its ability to run with an XProtect update only days after its discovery.
The Trojan horse is distributed as an application disguised as a picture of two people kissing, presumably a scene from the television show "Leverage," hence the name of the Trojan.
When the Trojan's installer is opened, it will open an embedded version of the image in Apple's Preview program, in an attempt to maintain the idea that it is just a picture, while the program installs the true Trojan in the background. In addition, the Trojan is built with a couple of code modifications that prevent it from showing up as a running application in the user's Dock or in the Command-Tab application switch list.
The Trojan itself will be a program called UserEvent.app and will be placed in the /Users/Shared/ directory. It will then install a launch agent called UserEvent.System.plist in the current user's LaunchAgents directory, which is used to keep the program running whenever the user is logged in. These two locations do not require authentication for any user to access, so the Trojan can place these files without prompting for an admin username and password.
This image is downloaded by the malware, suggesting possible association with the politically motivated Syrian Electronic Army hacking group.(Credit: Screenshot by Topher Kessler/CNET)
Once installed, the running Trojan will, among standard command-and-control activity like grabbing personal information, attempt to download an image associating the nefarious activity with the Syrian Electronic Army, a relatively new hacking group associated with the Assad regime in Syria. When contacted by Mashable, the group claimed that it is not associated with the Trojan.
While this new malware is out there and has affected a few people, it is not a major threat at this time, one reason being that the command and control servers it connects to appear to be offline. In addition, though for now the exact mode of distribution is unknown, if done through a Web browser or Apple's Mail e-mail client, then Gatekeeper in OS X will issue a warning about the program not being a signed package. Additionally, Apple has recently updated its XProtect anti-malware scanner to specifically detect and quarantine this malware.
Beyond these security measures, you can take some additional steps to help secure your system from similar Trojans. Since most malware attempts in OS X have used various Launch Agent scripts to keep themselves running, you can use Apple's Folder Actions feature to set up a launch agent monitor that will notify you of anytime such scripts are being set up in the system.