Intego recently posted some information on its blog concerning the Imuler information-stealing Trojan. The variant that Intego calls OSX/Imuler.C uses a different stealth/social engineering technique to that used by previous variants. It seems to be intended to spread via .ZIP archives containing the malicious app among an array of erotic images (JPGs, in the examples I’ve seen): the app includes an icon that makes it look like an image. Since by default the OS X Finder doesn’t display file extensions, it would be easy for the average Mac user to double-click the “image” with the expectation of seeing a full-sized image. Which would indeed happen, but in the meantime malicious software has been installed on the system.
Written by
Intego recommends (as do I) that Mac users enable the display of file extensions in the Advanced Finder Preferences menu.
ESET’s Alexis Dorais-Joncas and Marc-Étienne M. Léveillé have also been looking at this Trojan, as described in Alexis’s blog, expanding on the malware’s command-and-control (C&C) functionality and noting the presence of strings that suggest the app was originally compiled for Windows and then recompiled for OS X.
Other vendors might want to check the MD5 hashes Alexis has included in his post.