iThreats

Zlob has been proliferating in Windows platform since 2005. It only started as simple trojan downloader and stealer which is capable to check and update itself.

Then, it was last year when this trojan stand-out to the crowd of other competing malwares. A new variant arrived to users via email employing social engineering tactics to attract users in clicking the link to video. However, the video does not play successfully without installing the required codec. This tricky behavior persuades the user to install the fake codec – unknowingly, the user has just installed the malware!

The spurs of shares, free downloads, blogs and social websites has become a perfect time for Zlob to infiltrate networks. Evidently, the increasing domain names and clicks have been utility for Zlob to stay visible in search engines.

Yes, all of this works in Windows until late this year (November), this trojan crosses over to Mac specifically OS X. Suddenly, a list of domain names is capable to download installers both for Windows and Mac users. Domain names hosting Zlob fake codec for Mac user does not sleep, it stays online 24×7 and it’s increasing in numbers. It’s out there in-the-wild!

These sites are smart enough to check if you are running in Windows or Mac. Then, it gives you the right installer either in Windows Executable (EXE) or Disk Image (DMG) for Mac.

Who’s behind Zlob? Let’s investigate its network connection …

Intercage [AS27595] is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more.

In conclusion, the massive increase of sophisticated and organize cyber crimes boils to pursuit of profit and Mac users are no longer subject to proof-of-concept. The world’s known worst attackers are now introducing web base cross platform malware and this should increase awareness.