14 DAY TRIAL // Security researchers from Intego have uncovered a new Trojan that targets OS X machines. Dubbed “OSX/Leverage.A,” the malware has been spotted in the wild, but experts say the overall threat level is low because it appears to be used only in targeted attacks.
OSX/Leverage.A was found by researchers on VirusTotal. It was submitted to the malware analysis website by a user from Belarus.
At first sight, the malicious Mac application appears to be an image file. In reality, it’s a .app file that opens a backdoor on infected devices.
Experts are uncertain how the malware is delivered. It could be distributed via email or placed on a watering hole website.
When it’s executed on a device, the Trojan makes a copy of itself to /Users/Shared/UserEvent.app. This file is launched by creating a LaunchAgent in ~/Library/LaunchAgents /UserEvent.System.plist.
In the meantime, a genuine image file is opened to avoid raising any suspicion.
After it’s installed, the Mac malware opens a backdoor and starts connecting to a command and control server (C&C) via port 7777. Currently, the C&C server appears to be offline.
However, when Intego tested it, the server received information from the infected system, and sent out commands to the targeted host.
Interestingly, the Trojan also downloads an image file that represents the logo of the notorious Syrian Electronic Army.
Of course, this doesn’t necessarily mean that the Syrian Electronic Army is responsible for this Mac malware.
Softpedia has reached out to the members of the hacktivist group hoping that they can clarify their involvement with this threat. The hackers say it's "not associated" with them.
OSX/Leverage.A is a low-risk threat, but Intego warns that this rating might change if new details come to light.