Analysis by: Christopher Daniel So

 PLATFORM:

Mac OS X

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This malware uses new technique for its data stealing routine which is utilizing the audio functionality of Mac. It also uses kernel extension as its rootkit component.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.

  TECHNICAL DETAILS

File Size: Varies
File Type: Mach-O
Memory Resident: Yes
Initial Samples Received Date: 25 Jul 2012

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor creates the following folders:

  • /Library/ScriptingAdditions/appleHID (if running as root)
  • /Users/{user name}/Library/ScriptingAdditions/appleHID (if not running as root)

Autostart Technique

This backdoor drops the following files:

  • /Library/LaunchAgents/com.apple.mdworker.plist (if running as root)
  • /Users/{user name}/Library/LaunchAgents/com.apple.mdworker.plist (if not running as root)

Backdoor Routine

This backdoor executes the following command(s) from a remote malicious user:

  • Download a file
  • Execute a command using /bin/sh
  • Record audio
  • Scan for network connections
  • Search a file
  • Uninstall itself
  • Upload a file

NOTES:

This backdoor drops the following kernel extensions:

  • /Library/ScriptingAdditions/appleHID/Contents/Resources/{random file name}.kext/Contents/MacOS/{random file name} (if running as root)
  • /Users/{user name}/Library/ScriptingAdditions/appleHID/Contents/Resources/{random file name}.kext/Contents/MacOS/{random file name} (if not running as root)

The dropped kernel extension is also detected by Trend Micro as OSX_MORCUT.A. It is used by this malware to hide its created folders and its process.

This backdoor runs on the following OS X platforms:

  • 10.5 (Leopard)
  • 10.6 (Snow Leopard)
  • 10.7 (Lion)

  SOLUTION

Minimum Scan Engine: 9.200
VSAPI OPR PATTERN File: 9.285.00
VSAPI OPR PATTERN Date: 26 Jul 2012

NOTES:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, use Trend Micro's special fixtool. Download, extract, and run the said fixtool in the same folder where your latest Trend Micro pattern file is located. For more details, refer to the fixtool's incorporated text file.

MANUAL REMOVAL INSTRUCTIONS

Step 1

Delete files dropped by this malware. To delete the autostart file, open a Terminal window and type the following command:

"rm /Library/LaunchAgents/com.apple.mdworker.plist"

"rm /Users/{user name}/Library/LaunchAgents/com.apple.mdworker.plis"

Step 2

Restart your computer.

Step 3

Deleting the malware folder. To delete the malware folder, navigate to the following folders in Finder:

  • /Library/ScriptingAdditions/appleHID
  • /Users/{user name}/Library/ScriptingAdditions/appleHID

Drag each folder to the Trash. Empty the Trash.

Step 4

Scan your computer with your Trend Micro product to delete files detected as OSX_MORCUT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.