Home / malware OSX.Backloader
First posted on 04 July 2015.
Source: SymantecAliases :
There are no other names known for OSX.Backloader.
Explanation :
The Trojan may arrive on the compromised computer after being dropped by OSX.Dropper.
The Trojan creates the following file:
/Users/Shared/dufh
The Trojan checks the following location to determine if there is an internet connection.
http://www.google.com
Note: The Trojan will sleep until it successfully finds determines that there is a connection to the internet.
The Trojan opens a back door on the compromised computer, and connects to the following location:
185.10.58.170
The Trojan sends an encrypted message to the remote location using the following format:
id=[PLATFORM UUID]&mac=[STRING CONTAINING OPERATING SYSTEM VERSION, OPERATING SYSTEM NAME, USER NAME, USE OF PROXIES, AND PROCESS LIST]
Note: [PROCESS LIST] is based on the output received from running "ps aux" on the shell.
The Trojan attempts to download a configuration file from the remote location.
The Trojan receives commands from the remote location to execute on a shell.
The Trojan may perform the following actions:
Download filesChange access permissions on downloaded files to 755Execute downloaded filesLast update 04 July 2015
