Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack

Filed Under: Apple, Data loss, Featured, Malware, OS X

Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users.

In fact, it was somewhat more than that: it was one of those "undelivered courier item" emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly.

You're probably familiar with "undelivered item" scams.

The idea is surprisingly simple: you receive an email that claims to be a courier company that is having trouble delivering your article.

In the email is a link to, or an attachment containing, what purports to be a tracking note for the item.

You are invited to review the relevant document and respond so that delivery can be completed.

We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website, featuring its very own amusingly ill-Photoshopped planes, ships and automobiles.

But a competently-executed courier scam can be fairly convincing, especially if the criminals behind it know enough about you to create what becomes a targeted attack.

Even a modest amount of detail (if that is not an oxymoron) can do the trick.

For example, the crooks will sound a lot more believable if they know your address and phone number; are aware of what you do in your job; and have a general idea about some of the projects you are working on right now.

Of course, if you open the attachment or click on the link in one of these scams, you are immediately put into harm's way: the attachment might try to trigger an exploit in your unpatched copy of Word, for instance, or the link might attack an unpatched Java plugin in your browser.

Here's what the emails looked like in this attack, with some details changed or redacted for safety:

We wish to inform you that we have a pending parcel for the past 10 days bearing your name Mr. Jonathan Sidebottom,with parcel number (MV-45-QA566). The parcel was sent for delivery on the below mentioned address but nobody was there to receive it. Your parcel content has a set of engineering documents, which was discovered during our security checks of parcels brought into our head office. So, we are sending you a scanned copy of that parcel. Give your positive response, if it belongs to you.

If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone.

But if Mr Sidebottom really is in the engineering business, and regularly deals with inbound documents from courier companies around the world, an email of this sort could easily pass muster.

The link, of course, doesn't really lead to fedex.com.ch, but instead takes you to a domain name that is controlled by the attackers.

If you are on a mobile device, the server delivers an error message.

If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware.

But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file.

By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an empty Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:

Clicking on the download button shows you what looks like a PDF file:

There is no PDF file, as a visit to the Terminal windows quickly reveals.

Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon:

As you can imagine, the temptation is to click on what looks like a PDF file to see what it contains.

OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file:

Note that you don't get a warning about the App being from an "unknown developer" because it is digitally signed, something that happens surprisingly often with modern malware.

→ The quantity of digitally-signed malware in circulation prompted Microsoft, which sees a lot more malware than Apple, to publish a recent blog post with the uncompromising title "Be a real security pro - Keep your private keys private." In that article, Microsoft documents a malware family it calls "Winwebsec" of which it has more than 15,000 digitally-signed samples, signed with 12 different stolen keys.

If you do click the [Open] button, nothing seems to happen: you end up back at the desktop with your email software open and an empty Safari window in front of it.

But a trip back to the Terminal shows that what looked like a PDF file is now running in the background as a process named foung:

As it happens, foung, like its counterpart delivered to Windows computers, is a bot, short for "robot malware", detected by Sophos Anti-Virus as OSX/LaoShu-A.

LaoShu-A as good as hands control of your Mac over to the attackers, but its primary functions appear to be more closely associated with data stealing than with co-opting you into a traditional money-making botnet.

(You will often hear the term RAT, or Remote Access Trojan, rather than the more common term bot, used to describe this sort of malware.)

In other words, the attackers seem more concerned with digging around on your computer for what they can steal than with abusing your computer and your internet connection to aid and abet other cybercriminal activities.

Amongst other things, LaoShu-A contains code to:

  • Search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX.
  • ZIP those files.
  • Upload (exfiltrate) them to a server operated by the attackers.

However, this RAT also knows how to:

  • Download new files.
  • Run arbitrary shell commands.

For example, during our tests, LaoShu-A downloaded a second application that took a screenshot with OS X's built-in screencapture command, and tried to exfiltrate the image it had just grabbed.

But the behaviour of that second application can be varied by the attackers at any time, which is why, in our recent podcast, Understanding botnets, SophosLabs expert James Wyke warned as follows:

Without analysing the full network capture of the entire interchange between a bot and the person controlling it, you can't say for sure exactly what that bot might have done... [it] might go and download some completely different piece of malware which carries out a completely different set of functionality.

James went on to recommend:

Be more suspicious of things you get in e-mail. E-mail is still one of the most common ways people get infected, and it is predominantly through social engineering attacks... So when you receive an e-mail from someone you've never heard of before, or you've never communicated with before, and there's some interesting attachment to the e-mail or [a link to click], ...don't do that! That's one of the that most common ways people get infected.


(Audio player not working? Listen on Soundcloud.)

Let's hope this malware reminds OS X users of a few simple truths that some Mac fans still seem willing to ignore:

  • Mac malware is unusual, but not impossible.
  • Data thieves are interested in what Mac users have on their computers.
  • Malware writers can often get their hands on digital certificates to give software to give it a veneer of respectability and to bypass operating system warnings.
  • Mac malware doesn't have to ask for a password before running.
  • Mac malware can run directly from a download without an installation step.
  • Bots and RATs are particularly pernicious because they can update and adapt their behaviour after you are infected.

As always, prevention is better than cure.

And that "undelivered courier item" almost certainly doesn't exist.

Free: Sophos Anti-Virus for Mac Home Edition

Sophos for Mac stops threats for Windows and Mac alike, protecting you and those you share files with.

Choose from blocking viruses in real time (on-access protection), scanning at scheduled times, or running a check whenever you want.

Free download, no registration required, no expiry date.

Click to go to download page...

Image of forklift courtesy of Shutterstock.

, , , , , , , ,

You might like

47 Responses to Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack

  1. Clay · 90 days ago

    FYI, laoshu is a Chinese word that means "teacher".

    • Roy H · 89 days ago

      I shared this article hoping to help to Mac user friends but got the following response from a friend who works in an Apple Store.

      "Its a tad misleading this article. Macs so have built in protection through various means including library randomization, sandboxing etc. This rumour is bout two years old and the plan was to grab users details not infect a computer. The email linked to a fake site, enter pin codes etc. None of us at work use virus protection."

      Given his response what is the truth here? Do things like library randomization and sandboxing protect the Mac user? My gut reaction here is that Apple representatives are not necessarily security experts so how does one expose the folly presented here and encourage die hard "there is not a problem" Mac users to stop burying their heads in their sandboxes and become responsible secure users of the interwebinetz?

      • Paul Ducklin · 89 days ago

        I don't think your friend even looked at the article.

        (He is describing web-based phishing, where you are taken to a bogus login screen and invited to "enter pin codes etc." There is no mention of anything like that in the article.)

        From my point of view, it's pretty insulting to have someone (especially someone who works in an Apple Store, and is thus in a position to influence Mac users to do the right thing about security) dismiss an article that was actually a lot of work - for me and my colleagues in SophosLabs - by saying it deals with "a rumour that is about two years old," and that there was no "plan to infect a computer."

        Is your friend suggesting I mocked up all the screenshots? That the email I showed was never sent? That there was no download? That I created the .app file myself? That there wasn't a process called foung? That I bought and wasted a digital certificate from Apple just to create a rumour? That I sneakily signed the non-existent malware in November 2013 (the date in the digital signature, by the way) to make things look more current than they were?

        I think your friend has exposed his own folly, don't you?

        • Thanks for clearing that up. I think you are right about him not reading the article, or if he did he didn't understand what was being described. Scary, as you say, since this is an IT professional giving advice to Mac users / purchasers. Also scary is the comment that no one in the store uses virus protection.

          Regarding his statement referring to the use of library randomization and use of sandboxing, can such things provide protection or is this tech speak jargon used to muddy the waters, confuse the enquirer and protect the misguided belief that Apple products are invincible?

          • Paul Ducklin · 89 days ago

            Address randomisation and sandboxing can improve security a lot.

            That's why every mainstream operating system uses these technologies. Including Windows, Linux, the BSDs, Android, iOS and, of course, OS X.

            But if address randomisation and sandboxing could provide security invincibility, then there wouldn't be any Windows malware.

            No Linux servers would get hacked to serve up that malware.

            And Apple wouldn't have bothered to build, ship and update XProtect, the rudimentary anti-virus (OK, anti-malware) protection built into OS X.

            Maybe your friend drank a bit too much kool-aid?

            • Maybe it is served in the staff canteen.

              • Paul Ducklin · 89 days ago

                Wouldn't some kind of insulin-pump-like implant be more reliable and efficient? (And those could *never* be hacked, eh :-)

        • Rich Beyer · 89 days ago

          It is obvious that your friend at the Apple Store does not understand the security features he is describing. Modern operating systems implement security features such as Address Space Layout Randomization (ASLR), sandboxing and code signing. These techniques simply raise the bar for a programmer that wishes to compromise a system but they do not absolutely prevent it.

          ASLR was devised to fight buffer overflow compromises that depend upon being able to execute code within an already executing program. Implementation of ASLR has simply changed the most common compromise method from buffer overflow to hacking the human at the keyboard, which is used in this case.

          Sandboxing prevents untrusted code that is running inside a trusted program from accessing areas outside of its allotted memory. Programs, like browsers, that depend upon third party plug-ins (e.g.- Adobe Flash) use sandboxing to prevent flaws in the plug-in from compromising the system. Programs have to be specifically written to use sandboxing. It does not provide an automatic protection from any program that executes.

          Code signing simply changes the level of trust that the operating system gives to a program. It is assumed that a developer who applies for and is granted a code signing certificate will not spread malicious software because it is easily traced back to him/her. Stolen or fraudulently obtained code signing credentials are becoming common as the number of certificates granted increases.

          Nothing will prevent compromise of a system if the user downloads and executes a program. A properly functioning and updated anti-malware program adds an additional check when the human at the keyboard is hacked. It is certainly a prudent additional check to implement on any device.

          Your friend and his cohort at the Apple Store probably also ride motorcycles without a helmet. Both exhibitions of bravado will eventually lead to consequences they may regret.

      • As a security professional and Mac user I recommend that you no longer rely on your friend for security advice. His response is professionally negligent.

    • Paul Ducklin · 89 days ago

      I'm reliably informed that "lao shu" means "rat." (Proof that anti-virus researchers have a sense of humour, ha!)

      Apparently, the word for "teacher" is "lao shi."

  2. Tim Ballam · 90 days ago

    Hahaha - "we wish to inform you we have a pending parcel for the past 10 days bearing your name"

    or

    "Hi we've had a parcel her for the last 10 days addressed to you"

    Can you see the difference one is a **** Google translation the other is English

    If the English is bad don't open it!

    • Chris · 89 days ago

      So how do you find out if you are not a native speaker? Would you be able to tell in the case of a text written in a foreign language?

      • Paul Ducklin · 89 days ago

        I guess you know you *are* a native speaker because you grew up with the language, spoke it at home, studied it as your first language (rather than learned it as a second or third) at school, etc.

        So you take all the languages in the world, cross out the ones you are a native speaker of...

        ...and there you have your non-native languages.

        (There is no reason a non-native speaker couldn't spot the flaws, and there are probably plenty of native speakers who would overlook them. But I can't easily imagine someone who learned English from birth saying, "We have a pending parcel for the last 10 days." It just sounds synthetic and ungrammatical.)

        • goat · 88 days ago

          I believe he asked, "how do you find out, if you are not a native speaker" as in... well exactly as he stated it.

          Did you honestly think he's randomly asking how do you figure out if youre a native speaker?

          Yes. Yes you did apparently...

          • Paul Ducklin · 87 days ago

            Hmmm. See, "Eats roots, shoots and leaves." Or, to give the book its real title, "Eats, Shoots & Leaves: The Zero Tolerance Approach to Punctuation," by Lynne Truss, http://en.wikipedia.org/wiki/Eats,_Shoots_%26_Leaves

            It does seem now obvious, but the OP did ask *exactly* the question I answered, and it's not *exactly* random, and it isn't *exactly* as you stated it :-) I am afraid I read it *exactly* as it was written (when in doubt, don't use a pronoun), presuming that the OP wanted to know how an English speaker might judge their level of ability to judge.

            Now for the question, "If English isn't your first language, so grammar and usage aren't stand-out clues for you, what should you look for to spot this scam?"

            I touched on two or three in the article:

            * The dialog that warns you that it's not a PDF after all.
            * The advice generally to maintain strong suspicions of unexpected email.
            * The suggestion simply to presume that "undelivered courier item" notifications are scams.

            Another commenter suggested setting the "Allow apps downloaded from" option in Sytem Preferences|Security & Privacy|General to "Mac App Store," a stricter setting than the default "Mac App Store and identified developers."

            Problem with that is that there is a surprising range of Apps - any decent anti-virus, for example :-) - that are banned from the App Store, so many users will reasonably be happier with the default setting. (On my Mac, for instance, I'd say that fewer than 5% of the apps I've added after installing OS X are from the App Store.)

  3. Steve · 90 days ago

    Did you explicitly enable running downloaded apps before trying this? I thought that the default configuration for Mavericks would have flatly refused to run the executable.

    • Paul Ducklin · 89 days ago

      It was what Microsoft used to call "OOBE." (Out-of-box experience.)

      Which reminds me: I should have mentioned, and will add it now, that the App was digitally signed, like a surprising amount of malware is these days. I'd better add that fact!

    • DavyB · 89 days ago

      @steve (and others) The Mavericks (and ML) default is to run Mac App Store + *SIGNED* Apps.
      There are 3 options, Mac Appstore ONLY, Mac Appstore+signed or anything.
      With the 2 tighter options you can right click and open an App and you get a dialog, if you there select it, the specified App will always run in future, (until you install an updated version)

  4. Doc · 90 days ago

    This is not new. I have been getting these emails for years. I do not get deliveries so I have never thought these were real.

    • Paul Ducklin · 89 days ago

      Of course, if the email were to reach you at work, it might be a different story...

      • Neal Lancy · 88 days ago

        Can't you set Gatekeeper to Mac APP store?

        • Paul Ducklin · 87 days ago

          Yes. That makes OS X deal with digitally signed apps in the same way that the default setting ("App Store and identified developers") deals with unsigned software.

          However, many Mac users will be reluctant to choose this setting because they want to install and update non-App Store software, perhaps fairly regularly: the App Store is rather limited in what it allows, and puts Apple entirely in charge of the selection of Apps you get offered.

          Many good and useful apps aren't in the App Store, either because they provide functionality that is banned from the App Store (real time security protection such as anti-virus software, for example), or because the developers didn't want to cede control of their app's future to Apple.

          If you sell your App via the App Store, you are not allowed to sell it by any other means, and every update has to await Apple's approval. Even security patches, which you might want to publish quickly, need to go into the "selection queue" in Cupertino. The selection criteria are, to say the least, opaque.

          Note, of course, that changing the setting you recommend doesn't *prevent* this malware, any more than the "App Store and identified developers" default prevents unsigned malware from running. But it does put an extra barrier in place.

          We discussed this issue in the latest weekly Chet Chat podcast, in transcript form here:

          http://nakedsecurity.sophos.com/transcript-sophos-security-chet-chat-epsiode-131-jan-22-2014/

          BTW, the relevant OS X option is here: Apple Menu|System Preferences|Security & Privacy|General|Allow apps downloaded from

          • Kent Dirfman · 87 days ago

            That is not completely true. For example Navicat sells its software in the App store as well as on their own webiste. The same goes for the OMNI Group.

    • alvarnell · 89 days ago

      Yes, but all the others linked to Windows malware. This would appear to be the first of this specific type designed for OS X.

  5. Anonymous · 90 days ago

    Does the link redirect to landing page which exploits a vulnerability in Safari in order to cause the request for the malicious file? If so which one? I'm curious to the details of what specific security measures in place (or lack there of) on the Mac this malware bypasses in order to install itself and function.

    • Paul Ducklin · 89 days ago

      Well, it doesn't run automatically. As mentioned, you have to "open" it, and when you do that, it warns you that it is an application, not the PDF you expected.

      As I mentioned in another comment, the malware is digitally signed. I'll make that clear in the article, as it removes one more hoop a user would otherwise have to go through (namely the need to instruct OS X to open the app regardless of its lack of a signature).

  6. Jeff H · 89 days ago

    Nice explanation. You say the web site checks the browser and responds with a Mac file if you are running Safari. What happens if you are running Firefox?

    • Paul Ducklin · 89 days ago

      Firefox on OS X gets the Windows malware.

      I didn't try Safari on Windows to see if it gets the OS X malware. (I can't remember if you still *get* Safari on Windows :-)

      • Kent Dorfman · 87 days ago

        Safari for Windows is no longer available and has not been for years.

        • Paul Ducklin · 86 days ago

          Turns out it *is* still available, though only in a flavour that is close to two years old...you can get it officially as Apple download DL1531.

          I just installed it on Win 8.1. (Don't try that at home, folks:-)

      • So it would seem they are exploiting the "open on download" feature of Safari (something I've always disabled). Given the Firefox and Google Chrome will also send OS related strings to an HTTP server is it odd that it deliver Windows executables?

        • Paul Ducklin · 86 days ago

          This isn't the open on download - the file doesn't get opened. (You have to click it to launch it.) But you are 100% right to turn off open on download, which (ironically) would have opened it automatically if it had been a PDF.

          Other readers probably ought to follow your advice: Safari | Preferences | General and untick the 'Open "safe" files after downloading' box.

          (I think the fact that Apple has chosen to write the word "safe" in inverted commas in the dialog box says it all, don't you? Try reading it aloud, adding your own vigorous air-quotes as you say the word "safe" :-)

  7. Hi Paul,
    I have a question regarding drive-by downloads if I may?
    In an effort to thwart these attacks, could simply setting your web browsers user agent to something other than the OS you are using prevent the success of the attack. For example, on your Windows machine, set your browser to present itself as Safari for OSX so that you are delivered the dmg / .app file.
    Likewise on your OSX machine set the browser to present itself as Windows IE, thus receiving the .exe file?

    Regards,

    Andy

    • jet86 · 89 days ago

      I suspect that this may have worked in this case, but it may also add a false sense of security. Many malicious websites will just serve you malware targeting Windows computers without looking at the user agent string at all.

    • Paul Ducklin · 89 days ago

      You could...though if you have Windows you are on a bit of a hiding to nothing, because lots of malware only has a Windows version, and you get it no matter what :-)

      The security benefits, which are a bit "security-through-obscurityish" anyway, might well be smaller than the hassles caused by misleading every genuine website out there and thus not getting the best out of it.

    • Thanks for your responses guys. Guess we should all follow best practices, irrespective of our OS of choice.

  8. Suzanne (UK) · 89 days ago

    Reading the replies to this article, leaves me with the impression that there are still some doubting Thomas's out there.

    I don't have a Mac computer, but I still understand the implications of this, and appreciate the hard work that was put into the research.

  9. Mark Dallner · 89 days ago

    This past year was the first time I was warned by Sophos Anti Virus application that I was being attacked on my Mac. The conversation about Mac and anti Virus is one that a few Mac users say is not needed. My comment to one of these people was, as the Mac OS increases it's presence on the market place, so does the target on the Mac user's back. I used to be a Apple Certified Mac Tech and made lots of money in the days of system 6 though 9 wacking viruses.

    • Kent Dorfman · 85 days ago

      Mac System anything used to have more viruses than Windows did at the time. Mac OS X has had none (based upon the true definition of what a virus is). So are you stating that Macs that ran the System OS had a greater marketshare than the current Macs? That would add validation to your statement of OS presence increasing viruses. But it is not likely.

  10. D. Fitz-Gibbons · 89 days ago

    These types of e-mails are also coming from "Costco". I've received a few of them over the past two to three weeks, but I haven't ordered anything from the real Costco in years.

  11. Hi Paul

    Greetings from (too) sunny South Africa.

    Thanks for doing the research. I just generally consign these to spam, but it’s useful to know that a “PDF” could be a disguised app.

    • Paul Ducklin · 86 days ago

      Yes...Apple has done a Microsoft, suppressing extensions by default, so that an Application bundle like "Banana.app" appears simply as "Banana". (Ironically, however, "Banana.PDF.app" appears as "Banana.PDF.app", while "Banana PDF.app" appears as "Banana PDF" :-)

      Apparently, suppressing extensions makes for a cleaner user experience, or some such happy thing. You can change this setting, though, and I recommend you do: go to Finder | Preferences | Advanced and tick the box to "Show all filename extensions".

  12. Judging grammar is not a fool proof method. I've received horribly written business communications from 'real' email marketers.
    I'd just advise users to never open a zip, or even download a file, that is not from a human being you know, and from whom you are expecting files. Instead, contact the company directly to see if they have legitimate business with you.

    • Paul Ducklin · 84 days ago

      I agree that legitimate (well, non-infringing in the case of some email) communications that look like garbage confuse the issue. One solution is to bin them anyway. Why would you want to do business with a marketing person who doesn't even have the decency to communicate clearly and in normal language? If they can't be bothered to take the slightest care with the English language when they are selling themselves, how much do you think they'll be bothered about your credit card data or your home address?

  13. Vito · 83 days ago

    If I'm reading the article correctly, this isn't actually a "drive by" exploit. You have to receive the email, be silly enough to open it without first inspecting the message source, then click on the link to start the download, and then be foolish enough to open the download.

    In my case, the whole business about detecting a browser is irrelevant; I use a mail client (SeaMonkey's Mail & Newsgroups app for Mac), and my default browser is SeaMonkey as well. Because SeaMonkey ≠ Safari, presumably I would get the Windows version of the malware...er, assuming I were clueless enough to get that far. Do so many people use webmail in a browser that this is even a reasonable attack vector? If so, that's a surprise to me...although perhaps it shouldn't be.

    Anyhow, I know when I'm expecting a package and when I'm not. The appearance of a message like the one described in the article is immediately suspect. The grammar would be an additional tip-off. In any case, I don't even open such messages; instead I use SeaMonkey's View:Message Source (command-U) to inspect the message contents before opening it. If it's not legitimate (it seldom is), I mark it Junk.

    • Paul Ducklin · 82 days ago

      It's not a drive-by exploit. That's made fairly clear in the article. You do indeed have to decide to open it.

      As for "knowing when you are expecting a package," there will be at least some people in an office environment who are expected to receive and sort out parcels pretty much any time, for pretty much anybody - office managers, for example - so there are those who are implicitly expecting packages all the time...

      I agree that a well-informed user shouldn't fall for this, but to use the word "clueless" for anyone who does fall for it is a bit harsh.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog