The LaoShu threat is a piece of malware designed to target Mac systems exclusively. The goal behind the LaoShu is to collect sensitive data from the compromised hosts. The LaoShu Trojan is being propagated via emails that tend to contain an infected PDF file. It the latest campaign involving the LaoShu Trojan, the attackers appear to have chosen to mask the fake emails as legitimate messages sent by well-known delivery companies. The emails would state that the user has a package that they have not picked up and that the attached PDF file contains more information regarding the issue. In some cases, instead of a PDF file, the email would contain a ZIP attachment, which carries a PDF file. Some users report that the fraudulent email redirected them to a website that appeared to be the official page of the courier company in question. However, after looking into it, cybersecurity analysts found that this is a bogus website hosted by the attackers, which is designed to look like the original Web page of the delivery company.
The creators of the LaoShu Trojan rely on the layout of the OSX. Once a user downloads the supposed PDF file, they will be able to see it in recent downloads. However, the malicious file only appears to be a PDF file when it is actually an application program. This means that opening the malicious file will allow the LaoShu Trojan to penetrate your system. Upon launching the file, the user will be warned by the security measures of OSX that the file may be dangerous. Users who ignore the warning and proceed will be redirected back to the Safari browser, instead of seeing a PDF file as they had expected. This is a clever trick designed to mislead users into believing that something had gone wrong when opening the file. If users do not look further into it, they may never even realize that their system has been infected because the LaoShu Trojan operates silently.
When the LaoShu Trojan is successfully installed on the targeted host, it will scan the system for the presence of PPT, PPTX, DOC, DOCX, XLS, and XLSX files. If there are such files detected, the LaoShu threat will make sure to collect them in a ZIP archive, which will then be transferred to the C&C (Command & Control) server of the operators of the Trojan. The LaoShu malware can also download files from the attackers’ C&C server and even run shell commands. These additional capabilities would allow the LaoShu Trojan to alter the settings of the system or inject additional threats on the infected host. According to some reports, the LaoShu Trojan is known to plant a module that is capable of taking screenshots of the user’s desktop and active windows.
The LaoShu Trojan is not a threat that is to be underestimated. This is a complex and potent tool that is likely to continue pestering Apple users worldwide. Make sure your Mac is protected by a legitimate anti-malware application.