Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Flashback Trojan Puts Mac Malware Back on Stage

Flashback Mac Trojan Cloaks Itself as Adobe Flash Update, Opens Backdoor to Mac OS Systems

It has been a busy few days in the world of Mac malware.

Flashback Mac Trojan Cloaks Itself as Adobe Flash Update, Opens Backdoor to Mac OS Systems

It has been a busy few days in the world of Mac malware.

The week opened with a report that Apple had updated its blacklist of known malware to include the Trojan dropper Revir, and it is closing with reports about the spread of a new Trojan known as Flashback. While Revir disguised itself as a PDF file, Flashback cloaks itself as a Flash Player update.

While Mac security firm Intego initially the Trojan was not widespread, it has since noted an uptick in reports of infections.

According to Intego, the Trojan is spreading via malicious Websites.

“The first things you see are the crashed plugin graphic and the purported error messages,” the company explained in a blog post. “After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. At this point, if you have the default Safari settings – which allow “safe” downloads to open automatically – you will see an Installer window open.” (Image Below)

Flashback Trojan Malware for Mac

Users with the default Safari browser settings – which allow “safe” downloads to open automatically – will see an Installer window open. If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software (code in this malware specifically targets and deactivates Little Snitch, but has no effect on Intego VirusBarrier X6), and, after installation, will delete the installation package itself.

The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches.” The malware also installs a backdoor at ~/Library/Preferences/Preferences.dylib that communicates with a remote server and sends and receives data using RC4 encryption, according to Intego.

“This is effective social engineering,” Intego noted on its blog post. “Savvy Mac users will not be fooled, because they know that a Flash installer would never appear in this manner, but two things make this approach believable. First, Flash Player is not installed on Mac OS X Lion, so users will need to install it themselves if they want to view Flash content on the web. Second, if they do have Flash Player installed, and have set the Flash Player preference pane (in System Preferences) to automatically check for updates, they may think that this is an update alert…So this can easily fool many Mac users into downloading the malware.”

Just how users are being lured to the sites was not mentioned by Intego. However, Graham Cluley, senior technology consultant at Sophos, called it easy to imagine.

“For instance, it would be child’s play to create a website which pretends to show something salacious (“Scarlett Johansson nude video!” would probably do well at the moment, for instance) and then when you try to view it, you’re prompted to install an update to Adobe Flash. Of course, rather than the genuine Flash you would be installing the Trojan horse,” he blogged. “Similar tricks have certainly worked well in the past – against both Windows and Mac users.”

“We all know that there is much… more malware written for Windows than there is for Mac OS X,” he added. “But that doesn’t mean it’s non-existent, and it’s no excuse for leaving Apple Macs unprotected.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.