OSX_MORCUT.A
Mac OS X
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This malware uses new technique for its data stealing routine which is utilizing the audio functionality of Mac. It also uses kernel extension as its rootkit component.
To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor creates the following folders:
- /Library/ScriptingAdditions/appleHID (if running as root)
- /Users/{user name}/Library/ScriptingAdditions/appleHID (if not running as root)
Autostart Technique
This backdoor drops the following files:
- /Library/LaunchAgents/com.apple.mdworker.plist (if running as root)
- /Users/{user name}/Library/LaunchAgents/com.apple.mdworker.plist (if not running as root)
Backdoor Routine
This backdoor executes the following command(s) from a remote malicious user:
- Download a file
- Execute a command using /bin/sh
- Record audio
- Scan for network connections
- Search a file
- Uninstall itself
- Upload a file
NOTES:
This backdoor drops the following kernel extensions:
- /Library/ScriptingAdditions/appleHID/Contents/Resources/{random file name}.kext/Contents/MacOS/{random file name} (if running as root)
- /Users/{user name}/Library/ScriptingAdditions/appleHID/Contents/Resources/{random file name}.kext/Contents/MacOS/{random file name} (if not running as root)
The dropped kernel extension is also detected by Trend Micro as OSX_MORCUT.A. It is used by this malware to hide its created folders and its process.
This backdoor runs on the following OS X platforms:
- 10.5 (Leopard)
- 10.6 (Snow Leopard)
- 10.7 (Lion)
SOLUTION
NOTES:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, use Trend Micro's special fixtool. Download, extract, and run the said fixtool in the same folder where your latest Trend Micro pattern file is located. For more details, refer to the fixtool's incorporated text file.
MANUAL REMOVAL INSTRUCTIONS
Step 1
Delete files dropped by this malware. To delete the autostart file, open a Terminal window and type the following command:
"rm /Library/LaunchAgents/com.apple.mdworker.plist"
"rm /Users/{user name}/Library/LaunchAgents/com.apple.mdworker.plis"
Step 2
Restart your computer.
Step 3
Deleting the malware folder. To delete the malware folder, navigate to the following folders in Finder:
- /Library/ScriptingAdditions/appleHID
- /Users/{user name}/Library/ScriptingAdditions/appleHID
Drag each folder to the Trash. Empty the Trash.
Step 4
Scan your computer with your Trend Micro product to delete files detected as OSX_MORCUT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.