OSX_MACKONTROL.A
Backdoor:MacOS/Longage.A (Microsoft), OSX.MaControl (Symantec), Backdoor.OSX.MaControl.b (Kaspersky)
Mac OS X
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This malware is noteworthy due to its involvement in targeted attacks against organizations.
To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system:
- /Library/launched
Autostart Technique
This backdoor drops the following files:
- /Users/{user name}/Library/LaunchAgents/com.apple.FolderActionsxl.plist
Backdoor Routine
This backdoor executes the following command(s) from a remote malicious user:
- Delete a file
- Download and execute a file from the C&C server
- Enumerate files
- Enumerate processes
- Execute a file
- Uninstall itself
- Send a file to the C&C server
- Send OS Version, user name, computer name
- Start a remote /bin/sh
- Terminate itself
- Terminate a process
- Delete /Users/{user name}/Library/LaunchAgents/com.apple.FolderActionsxl.plist
- Delete /Library/launched
It connects to the following URL(s) to send and receive commands from a remote malicious user:
- {BLOCKED}.{BLOCKED}.77.16:8000
Other Details
This backdoor deletes the initially executed copy of itself
SOLUTION
Step 1
Search and delete this file
- /Users/{user name}/Library/LaunchAgents/com.apple.FolderActionsxl.plist
Step 2
Scan your computer with your Trend Micro product to delete files detected as OSX_MACKONTROL.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.