OS X Revir-B trojan masquerades as a PDF file

A nascent OS X trojan has been positively identified by a number of security companies. 

Dubbed “Revir-B,” the malware disguises itself as a PDF file about the disputed Diaoyu Islands to trick users into triggering its payload.

According to F-Secure, Revir-B drops a PDF file embedded in its body and opens it in an attempt to prevent the user from noticing any suspicious activity.

“This may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a ‘.pdf.exe’ extension and an accompanying PDF icon. [Although] the sample on our hand does not have an extension or an icon yet, there is another possibility,” explained Brod of F-Secure.

“It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.”

Once activated, the malware proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background. Fortunately, the malware C&C is just a bare Apache installation which is not yet capable of communicating with the backdoor.

Meanwhile, Sophos security expert Graham Cluley notes that many people still think that PDF files are somehow magically safer to open than conventional programs – despite the fact that cybercriminals have created numerous boobytrapped PDF files to exploit system vulnerabilities.

“[Yes], we have seen plenty of Windows malware in the past which pretended to be a PDF rather than an EXE – sometimes using techniques such as the double-extension trick (for instance, filename.PDF.EXE).

“[So] it’s quite possible that this is evidence that Mac malware authors are attempting something similar, moving on from the fake anti-virus alerts that blighted many Mac users earlier this year,” he added.