RAT Designed to Target Mac Users Distributed via Fake Courier Emails

Fake FedEx email delivers Mac malware

Malware-spreading emails that abuse the names of popular courier companies such as DHL, FedEx or the UK’s Royal Mail are not uncommon. However, it’s not often that such spam runs are utilized to distribute Mac malware.

Researchers from Sophos have come across a fake FedEx email entitled “Pending Parcel for Jonathan.”

“We wish to inform you that we have a pending parcel for the past 10 days bearing your name Mr. Jonathan Sidebottom, with parcel number (MV-45-QA566). The parcel was sent for delivery on the below mentioned address but nobody was there to receive it,” the bogus notifications read.

The link from the email purports to lead to fedex.com.ch, but it doesn’t. This is where it all gets interesting.

If the link is clicked from a mobile device, nothing happens. If the link is visited from a computer running a web browser other than Safari, a piece of Windows malware is served. The threat is a “vague relative” of the ZeuS banking malware, experts noted.

However, in case the link is clicked from Safari, Apple’s web browser, a piece of Mac malware is delivered, hidden inside a ZIP archive file.

OS X warns users that the file they're about to open is an application

At first sight, the malicious file appears to be a harmless PDF document. However, when the user wants to open it, he/she is warned by the operating system that “Scanned_Copy_of_parcel” is actually an “application downloaded from the Internet.”

Users who ignore the warning are actually allowing a piece of malware dubbed OSX/LaoShu-A to make its way onto their systems. It’s worth noting that the operating system doesn’t display any warning regarding the developer because the malicious app is digitally signed.

LaoShu-A is a Remote Access Trojan (RAT) that allows cybercriminals to take control of an infected computer. Experts say the threat allows cybercriminals to search and exfiltrate certain file types, take screenshots, and perform other actions.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s