ESET analyzes the Office-based Trojan threat for OS X
Recently new Trojan variants for OS X were found that take advantage of old and patched vulnerabilities to install and execute information-stealing code on affected systems. One of the newest ones uses Office documents as an installation vector and may be called OS X/Lamadai.A or OSX/Olyx depending on the malware scanner being used.
When this malware was found, security company AlienVault issued an initial analysis of the threat, describing it as a Command and Control (C&C) based Trojan that originates from China and is being used to target non-government organizations based in Tibet.
In light of this new malware development and following AlienVault's analysis of the threat, security company ESET has investigated the Trojan further.
While one can analyze malware threats by dissecting the binaries and picking out strings and other clues as to its functions, another approach is to install and run it and see what it does. This is exactly what ESET did, and in doing so found some rather interesting results.
ESET observed that once the Trojan installs it will establish a connection to a hard-coded remote C&C server located in China, and will wait in "busy" loop where it attempts to maintain its connection with the server. The server can then be used to issue commands to the infected system for uploading or downloading files, or execute scripts and commands -- the basics for allowing someone to remotely target a system, browse around on it, and steal information.
ESET also noticed that the Trojan is sophisticated enough to use several encryption routines for its communication with the C&C server, which may make some attempts at identifying the C&C activity midstream difficult to do, and also uses checksums to verify the information it downloads or uploads. In essence, this is not just a quickly attempt to get random information, but has been designed specifically to preserve the data it is trying to steal.
The most interesting aspect of ESET's analysis was the discovery that the C&C server appears to be run by a human on the other end of the line. When the connection was established to the C&C, ESET noticed incoming commands, which included typos followed by corrections, and the use of the BSD directory listing (ls) and present working directory (pwd) commands, which showed someone was poking around and determining what to do next.
Once the person on the other end had found the location of the ESET computer's Keychain file, he or she began issuing instructions to upload the keychain along with other files on the system, very clearly demonstrating the main purpose of this threat is to knowingly and directly steal information.
ESET has covered its findings in detail on its threat blog.
While this threat is one of the first to show direct and successful targeting of data on OS X systems through remote connections, its presence and these analyses of its behavior should not be cause for alarm. All of the recent Trojan horses found for OS X take advantage of old software vulnerabilities that have been patched for quite some time (in some cases the fixes have been available for years). By simply keeping your system up to date, it will not be affected by these new malware threats.