Skip to main content

'Leverage' Mac Malware Comes with a Kiss

If you see a picture of a kissing couple you don't recognize on your Mac, steer clear. The photo hides a fairly insidious piece of malware, and may mean that you, personally, have made a Syrian enemy.

Mac malware isn't nearly as common as its Windows brethren, but many of the same tricks still apply. Malefactors will often hide their programs in unassuming guises.

This latest file finds its way onto Macs under the name "DSC00117," according to a report from Intego, a Mac-centric security firm based in Paris. The document displays a photo of a man and a woman kissing ("Leverage" fans will recognize actors Gina Bellman and Timothy Hutton from that show — Intego is even calling the malware "Leverage").

MORE: Top Mac Anti-Virus Suites Tested & Rated

What's hidden is the file's .APP extension, which runs a Trojan that installs itself in a user's "Shared" folder. This Trojan runs a nearly invisible process that connects the compromised Mac to a botnet: a network of infected computers that transmit information back to a central server, and can infect new machines. Once there, an outside server probes the Mac for its system specs and potentially other information.

In addition to drafting the Mac into a botnet, the Trojan downloads an image file with the calling card of the Syrian Electronic Army: a group of hackers dedicated to boosting the authoritarian Syrian government and antagonizing those whom they believe to be rebel sympathizers.

The image, of course, does not prove that the Syrian Electronic Army is behind the malware. Although the group has a history of taking full responsibility for its attacks, it would be just as easy for someone else to develop the software and pin the blame on them. Furthermore, the group denied any involvement in a comment to Softpedia.

What's unusual about the DSC00117 Trojan is that it does not appear to have a clear entry vector to infected computers. It does not appear to come by way of a compromised website or a spam email. Intego theorizes that this may be a targeted attack. The user who first discovered the malware is located in Belarus, so Eastern Europeans would be wise to keep an eye out.

If the calling card is for real and the attack is indeed aimed at specific people, the Syrian Electronic Army may have a bone to pick with particular Mac users. If you own a Mac and have any reason to believe that the Syrian government would disapprove of your activity, make sure that this file doesn't show up.

If you do find DSC00117 on your hard drive, there's no reason to worry — at least about your Mac. If you delete the file before opening it, it will never install the harmful Trojan. If your system has already been infected, a standard malware sweep will get rid of it, although you should consider moving any politically sensitive files to a backup location.

Beyond that, there's no specific way to protect yourself, since the attack vector is unclear. Common sense still serves best here: Avoid mysterious attachments in emails, don't approve any downloads that you didn't request, and don't click on strange photos.

Follow Marshall Honorof @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.