Signed Macintosh malware uses Right-to-Left Override

Researchers at F-Secure have discovered malware targeting OS X, which leverages a technique called Right-to-Left override (RLO) in order to spoof its malicious nature. RLO is used in bi-directional text encoding systems as a way to mark the start of text that should be displayed from right to left. This is commonly seen in applications and software that are able to correctly display Arabic, Hebrew, Persian, and Yiddish - among other languages.

RLO as a means of attack has been around since late 2009, but gained wider attention in 2011 when the technique was used to spread the Bredolab family of malware. While previous attacks using RLO have been grand schemes, F-Secure's discovery shows the process being used simply to hide the actual file extension.

Examination of the malware itself shows code that enables an attacker to take continuous screenshots and record audio, while waiting for additional commands. It's written in Python and uses py2app for distribution. The code is signed by a legitimate Apple Developer ID, which may help it bypass some of the controls on a Mac depending on how the user configured their security settings. At the same time, due to the way the malware is encoded the RLO will also impact the quarantine notification, forcing it to display the warning with all of the text reversed.

Once executed, assuming the attack makes it that far, the malware displays a PDF file (such is the case for the variant discovered by F-Secure) that acts as a decoy while a CRON job and hidden folder in the user's home directory is created in the background. The malware will then connect to various sites to receive the address of the command and control (C&C) server. F-Secure observed two videos on YouTube that contained the C&C address within the description field.

According to the stats from YouTube before the videos were removed, the malware had infected more than 1,000 systems.

As a measure of protection, it's been advised that the Security and Privacy preferences be configured to only allow apps from the App Store to run without explicit authorization. Once the Apple Developer ID is revoked, Gatekeeper will also flag this malware (and other variants signed with the same ID) as a problem.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags py2appapplicationsf-securesoftwareRight-to-Left Overridedata protectionOS X malwareOS X securityApplepython

More about AppleF-Secure

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place