Interesting disguise employed by new Mac malware HiddenLotus | Advanced Mobile Spy Software
On November 30, Apple silently added a signature to the macOS XProtect anti-malware system for something called OSX.HiddenLotus.A. It was a mystery what HiddenLotus was until, later that same day, Arnaud Abbati found the sample and shared it with other security researchers on Twitter. The HiddenLotus "dropper" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document—in this case, an Adobe Acrobat file. This is the same scheme that inspired the file quarantine feature in Mac OS X. Introduced in Leopard (Mac OS X 10.5), this feature tagged files downloaded from the Internet with a special piece of metadata to indicate that the file had been "quarantined." Later, when the user tried to open the file, if it was an executable file of any kind, such as an application, the system would display a warning to the user. The intent behind this feature was to ensure that the user knew that the file they were opening was an application, rather than a