SHA1 7e82a05a9854f979607b2f9427817bef4bca2dc1
A Trojan for OS X installed by Mac.Trojan.VSearch.2.
It includes the following components:
DemoUpdater.app
daemon_config.plist
install_updater.sh
preferences.plist
readme_upd.txt
st-up.sh
uninstall_updater.sh
During installation, the Trojan performs the following actions that are specified in the install_updater.sh script:
- Generates a random name of the Trojan and adds the “Upd” value to it (which is then referred to as the appName value).
- Records the appName value into the “/Library/Preferences/com.common.plist” file using the name_upd key.
- Creates the “/Library/Preferences/com.appName.preferences.plist” file.
- Records the following parameters into this file:
- dist_channel_id
- machine_id
- click_id
- domain
- An executable file is copied to /Library/appName.
- The Trojan’s executable file is launched using the launchctl load command.
At launching, the malicious program decrypts several parameters necessary for its operation. The Trojan then reads the /Library/Preferences/com.common.plist file in order to determine a location of a configuration file that contains additional parameters. Once the parameters are obtained, the Trojan generates the URL that looks as follows:
http://domain/pd/pi?id=machine_id&d=dist_channel_id&cl=click_id
In return, the malware program receives a link that is used to download a script. The script is then executed in the system.
The Trojan re-downloads and executes the script every day. Mac.Trojan.VSearch.4 can generate several addresses to download a payload. In total, Doctor Web specialists registered 406 possible variants.
This script is used to download Mac.Trojan.VSearch.7 from the server and launch it. In addition, applying this script, Mac.Trojan.VSearch.4 can set the Trovi server as a default search engine and download a search plug-in for Safari, Chrome, and Firefox. Dr. Web detects this plug-in as an unwanted application named Program.Mac.Unwanted.BrowserEnhancer.1.
