Home / malware OSX.Slordu
First posted on 08 September 2014.
Source: SymantecAliases :
There are no other names known for OSX.Slordu.
Explanation :
When the Trojan is executed, it registers itself to LaunchAgent so that it starts automatically.
It copies itself to the following locations:
$HOME/Library/LaunchAgents/clipboardd/Library/Logs/clipboardd
The Trojan then creates the following files:
$HOME/.fontset/pxupdate.ini$HOME/.fontset/chkdiska.dat$HOME/.fontset/chkdiskc.dat$HOME/com.apple.service.clipboardd.plist$HOME/Library/Logs/BackupData/[DATE]_keys.log
Next, the Trojan connects to the following IP address through TCP port 8000:
61.128.110.38
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Create a remote shellUpdate the configurationTraverse file systemsDownload filesCreate new processesCapture screenshotsLog keystrokes
The Trojan then gathers the following information and sends it to a remote location:
Operating system name and versionHost nameUser nameCaptured screenshotsLogged keystrokesHome folder pathList of installed applications
The Trojan may also steal files with the following extensions from the desktop and Documents folder:
.pdf.doc.docx.ppt.pptxLast update 08 September 2014
