The bad actors figured out that to humans, a URL in English characters ‘aaa.com‘ looks the same as ‘aaa.com‘ in Greek characters but computers recognize these as different and will take you to two different websites depending on which you choose.
In 2001, this became known as the internationalized domain name (IDN) homograph attack. Most browsers now have defenses against such attacks, and while there are some creative folks still finding new ways to exploit UNICODE attacks in browsers, it looks like some have moved onto creative file-based attacks.
To make life easier for users, operating systems (OSes) allow users to double-click on a file through the GUI and take it from there. If the file is a document, the appropriate application runs and the requested file is opened. If the file is an application, the OS runs the program. Windows operating systems simply look at the file extension to determine the file type. MacOS is more diligent after a series of cyber attacks in 2009 when bad actors renamed applications to have document file extensions getting through the security controls at the time.
In response, Apple implemented “File Quarantine” in a number of applications that download files from the Internet. Think: Safari, Messages, iChat, and mail. To identify applications, MacOS looks at the file extension, but also looks at the internal structure of files with known document extensions to determine if it is a renamed application. If it appears to be an application, the user receives a warning that the file is “an application downloaded from the Internet” and given the option to avoid opening it.
“The HiddenLotus dropper is a folder with the proper internal bundle structure to be an application, and it uses an extension of .pdf, where the ‘d’ is a Roman numeral, not a letter. Although this extension looks exactly the same as the one used for Adobe Acrobat files, it’s completely different, and there are no applications registered to handle that extension. Thus, the system will fall back on the bundle structure, treating the folder as an application, even though it does not have a telltale .app extension.” reads the analysis published by MalwareBytes.
“There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well”