iPhone 14 Pro vs. Galaxy S22 Ultra HP Pavilion Plus Planet Crossword Pixel Watch Apple Watch Ultra AirPods Pro 2 iPhone 14 Pro Camera Best Android Phones
Want CNET to notify you of price drops and the latest stories?
No, thank you

ESET analyzes the Office-based Trojan threat for OS X

Security company ESET watches the newly found Trojan for OS X establish connections and receive commands to steal information.

Recently new Trojan variants for OS X were found that take advantage of old and patched vulnerabilities to install and execute information-stealing code on affected systems. One of the newest ones uses Office documents as an installation vector and may be called OS X/Lamadai.A or OSX/Olyx depending on the malware scanner being used.

When this malware was found, security company AlienVault issued an initial analysis of the threat, describing it as a Command and Control (C&C) based Trojan that originates from China and is being used to target non-government organizations based in Tibet.

In light of this new malware development and following AlienVault's analysis of the threat, security company ESET has investigated the Trojan further.

While one can analyze malware threats by dissecting the binaries and picking out strings and other clues as to its functions, another approach is to install and run it and see what it does. This is exactly what ESET did, and in doing so found some rather interesting results.

ESET observed that once the Trojan installs it will establish a connection to a hard-coded remote C&C server located in China, and will wait in "busy" loop where it attempts to maintain its connection with the server. The server can then be used to issue commands to the infected system for uploading or downloading files, or execute scripts and commands -- the basics for allowing someone to remotely target a system, browse around on it, and steal information.

ESET also noticed that the Trojan is sophisticated enough to use several encryption routines for its communication with the C&C server, which may make some attempts at identifying the C&C activity midstream difficult to do, and also uses checksums to verify the information it downloads or uploads. In essence, this is not just a quickly attempt to get random information, but has been designed specifically to preserve the data it is trying to steal.

Commands received from the remote C&C server
The commands issued to the infected system suggest a person is correcting and refining the commands and determining where to go on the system for the information being sought (click for larger view). ESET

The most interesting aspect of ESET's analysis was the discovery that the C&C server appears to be run by a human on the other end of the line. When the connection was established to the C&C, ESET noticed incoming commands, which included typos followed by corrections, and the use of the BSD directory listing (ls) and present working directory (pwd) commands, which showed someone was poking around and determining what to do next.

Once the person on the other end had found the location of the ESET computer's Keychain file, he or she began issuing instructions to upload the keychain along with other files on the system, very clearly demonstrating the main purpose of this threat is to knowingly and directly steal information.

ESET has covered its findings in detail on its threat blog.

While this threat is one of the first to show direct and successful targeting of data on OS X systems through remote connections, its presence and these analyses of its behavior should not be cause for alarm. All of the recent Trojan horses found for OS X take advantage of old software vulnerabilities that have been patched for quite some time (in some cases the fixes have been available for years). By simply keeping your system up to date, it will not be affected by these new malware threats.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.