OS X is one of the safest operating systems in the world, very few types of malware have been developed for Apple's operating system. Even so, every now and then a new malware appears that threatens Mac owners and today I'm talking about a new version of a malware called Imuler. This new threat it is hidden in files that initially appear to be simple pictures but in reality are infected files that could cause you quite a few problems. The malware is hidden in archives published under the names Pictures and the Article of Renzin Dorjee.zip si FHM Feb Cover Girl Irina Shayk H-Res Pics.zip and the infection method is based on the fact that OS X does not display file extensions or thumbnails for images, so the user accesses them to see them.
The malware installs a backdoor at /tmp/.mdworker, along with other files in this directory. A process called .mdworker then launches; the mdworker process (not the absence of the . before the name) is a process used by Spotlight to index files. A launchagent file is also installed at ~/library/LaunchAgents/checkvir.plist, along with an executable in the same folder, ensuring that the malware launches when the user logs into his or her Mac, or starts it up. After a restart, the .mdworker process is deleted, and the checkvir executable launches. This malware searches for user data, and attempts to upload it to a server. It also takes screenshots and sends them to the server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. We have seen that this malware is active, as it connects to a remote server and downloads new executables.
After accessing, the malware opens a process, called .mdworker, in Mac and upon restart open a file previously copied in ~/library/LaunchAgents/checkvir.plist. If you have been infected with this malware, then information collected from the entire operating system plus screenshots of the Mac screen will be sent from your Mac to the hackers' servers, so hackers can find out everything you do without much effort. To protect yourself, make sure that you have activated the option to display file extensions in Finder>Preferences>Show all filename extensions.
