Malware targeting OS X is using a technique called Right-to-Left Override in order to spoof its malicious intent Researchers at F-Secure have discovered malware targeting OS X, which leverages a technique called Right-to-Left override (RLO) in order to spoof its malicious nature. RLO is used in bi-directional text encoding systems as a way to mark the start of text that should be displayed from right to left. This is commonly seen in applications and software that are able to correctly display Arabic, Hebrew, Persian, and Yiddish — among other languages.RLO as a means of attack has been around since late 2009, but gained wider attention in 2011 when the technique was used to spread the Bredolab family of malware. While previous attacks using RLO have been grand schemes, F-Secure’s discovery shows the process being used simply to hide the actual file extension. Examination of the malware itself shows code that enables an attacker to take continuous screenshots and record audio, while waiting for additional commands. It’s written in Python and uses py2app for distribution. The code is signed by a legitimate Apple Developer ID, which may help it bypass some of the controls on a Mac depending on how the user configured their security settings. At the same time, due to the way the malware is encoded the RLO will also impact the quarantine notification, forcing it to display the warning with all of the text reversed. Once executed, assuming the attack makes it that far, the malware displays a PDF file (such is the case for the variant discovered by F-Secure) that acts as a decoy while a CRON job and hidden folder in the user’s home directory is created in the background. The malware will then connect to various sites to receive the address of the command and control (C&C) server. F-Secure observed two videos on YouTube that contained the C&C address within the description field. According to the stats from YouTube before the videos were removed, the malware had infected more than 1,000 systems.As a measure of protection, it’s been advised that the Security and Privacy preferences be configured to only allow apps from the App Store to run without explicit authorization. Once the Apple Developer ID is revoked, Gatekeeper will also flag this malware (and other variants signed with the same ID) as a problem. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe