New back-to-front Mac malware records audio and grabs screenshots on infected computers

The researchers at F-Secure have blogged today about an interesting new sample of Mac malware, that they have dubbed "Backdoor:Python/Janicab.A".

Janicab download. Image courtesy of F-Secure

The malware is interesting for a couple of reasons:

Firstly, it has been signed with an Apple Developer ID.

XKCD comic about U+202eSecondly, it takes advantage of the sneaky Unicode U+220E marker to do a right-to-left override of part of the malware's filename.

What's that? You don't know about U+220E?

Consider this sentence:

"Graham Cluley Security News"

Now, here is how it would look if a Unicode U+220E marker was sneakily inserted invisibly just before the capital "S" of "Security":

"Graham Cluley Security News"

Try copy-and-pasting the text above if you want to witness the weirdness for yourself.

As F-Secure explains, Janicab - which is written in Python - takes advantage of the right-to-left (RTL) U+220E Unicode character to mask the malicious file's true extension.

In this way, a file apparently called RecentNews.ppa.pdf is really

Hex dump of Janicab malware. Image courtesy of F-Secure

You may think you are opening a .PDF file, but in reality it's an executable .APP. To maintain the subterfuge, the malware displays a decoy document while the malware silently installs unauthorised code onto your computer.

Bidirectional text spoofing like this has been known about for some time, but may still be a surprise to many computer users.

The final point of interest about Janicab is, of course, why was it written?

What we know is that Janicab can grab screenshots and record audio via your computer, without you realising, using the third-party command line utility Sox.

Python code and Sox. Image courtesy of F-Secure

It seems plausible, therefore, to believe that Janicab was created to spy on others - something that has become increasingly common with malware in recent years.

According to VirusTotal, detection by most anti-virus products may not be in place yet. However, F-Secure says that it detects the malware as Backdoor:Python/Janicab.A and Trend Micro and Sophos appear to detect it as TROJ_GEN.F47V0712 and Mal/BredZpRTL-A respectively.

You can read more about the malware in F-Secure's blog.

Tags: , , , , , , ,

Subscribe to the free GCHQ newsletter

, , , , , , ,

Special offers & deals

  • Sticky Password Premium: Lifetime Subscription

    Sticky Password Premium: Lifetime Subscription

    Sticky Password protects your online identity by providing strong encrypted passwords for all your accounts, managed by a single master password known by you, and only you. Available for Mac, Windows, iOS, and Android. For a limited time, it's 80% off in our store.
  • IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    Whether you're a beginner or mid-level professional, you'll want to take this comprehensive online course, to help you attain two industry-recognised certifications. You'll master mobile hacking, VPN technologies, penetration testing, and much more--giving you the knowledge you need to succeed in any IT workplace.

More deals...

Leave a reply

1 Comment on "New back-to-front Mac malware records audio and grabs screenshots on infected computers"

Notify of

Sort by:   newest | oldest | most voted
May 19, 2014 7:28 pm

a similar use of the RTL unicode char was used to get malware hosted on Google Drive in April.