Security researchers have discovered yet another nasty bit of Mac malware that is similar to OSX.Dok trojan unmasked last week that can bypass Apple’s GateKeeper feature.

The new bug, dubbed OSX.Bella, behaves and distributes its self completely different than the methods used by OSX.Dok. But once its installed it executes a script that’s just as damaging.

Discovered by Malwarebytes reseacher Adam Thomas, the new bug uses the same installation method of OSX.Dok by masquerading as a document. Once a machine is infected, the bug installs an open-source backdoor named Bella.

OSX.Bella

This variant one also copies /Users/Shared/AppStore.app and displays an alert claiming the app is damaged. Instead of rendering your Mac unusable by displaying a full-screen app update that forces you to fork over your admin password, OSX.Bella simply closes and deletes itself after a minute or so.

While the malware doesn’t seem insidious from the outside, the Python script it runs behind the scenes has some frightening capabilities. Researchers found the Bella script can access iMessage transcripts, infiltrate Find My iPhone, phish passwords, capture data from your microphone and FaceTime camera and capture screenshots.

OSX.Bella could be crippling to businesses. The trojan has the capabilities to exfiltrate a large amount of company data, including passwords, code signing certificates and hardware locations.

The good news is the code signing certificate for OSX.Bella has already been revoked so you can’t get infected by it now. Your Mac could have been infected in the past though. If so, Malwarebytes recommends changing all your passwords.

.