La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Mac.BackDoor.Systemd.1

Aggiunto al database dei virus Dr.Web: 2017-05-11

La descrizione è stata aggiunta:

SHA1:

  • 3cb1cfa072dbd28f02bd4a6162ba0a69f06f33f0

Trojan backdoor for macOS. Once launched, it sends the following string to the console:

This file is corrupted and connot be opened

It is executed as a daemon called systemd. In order to conceal its file, the Trojan marks it with flags uchg, schg and hidden. It can use the following arguments for the launch:

argumentvalue
ddaemon
rlaunch
uupdate

Then the Trojan creates file with SH commands and a PLIST file in order to register itself in the autorun.

#!/bin/sh
. /etc/rc.common
StartService (){
    ConsoleMessage "Start system Service"
    “File path" d
}
StopService (){
    return 0
}
RestartService (){
    return 0
}
RunService "$1"

A file with the following content is created:

{
    Description     = "Start systemd";
    Provides        = ("system");
    Requires        = ("Network");
    OrderPreference = "None";
}

Also a PLIST file is created:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
               <key>Disabled</key>
               <false/>
               <key>UserName</key>
               <string>root</string>
               <key>Label</key>
               <string>
               com.appule.sysetmd
               </string>
               <key>KeepAlive</key>
               <dict>
                   <key>NetworkState</key>
                   <true/>
               </dict>
               <key>ProgramArguments</key>
                   <array>
                       <string>
                       File path
                       </string>
                       <string>d</string>
                  </array>
               <key>RunAtLoad</key>
               <true/>
               <key>StartInterval</key>
               <integer>5</integer>
      </dict>
      </plist>

The Trojan stores configuration information in its own file and encrypts it with the 3DES algorithm. Example of the decrypted configuration is as follows:

01 02 00 00-00 30 31 02-32 00 00 00-31 32 39 2E  ☺☻   01☻2   ***.
32 33 32 2E-31 39 35 2E-32 32 36 2C-34 33 2E 32  ***.***.226,**.2
34 37 2E 32-36 2E 33 37-2C 78 69 73-66 69 77 70  **.**.37,xis****
65 69 64 73-73 64 77 65-61 64 2E 63-6F 6D 03 05  *****wead.com♥♣
00 00 00 31-30 34 34 33-04 02 01 00-00 00 04 BC     10443♦☻☺   ♦╝
8E 12 99 9C-83 58 E6 0C-52 0C 3E DE-00 CA F2 0E  О↕ЩЬГXц♀R♀>▐ ╩Є♫
A4 1D ED 65-BF 47 3A CB-F9 26 3E B9-D9 3F 08 4C  д↔эe┐G:╦∙&>╣┘?◘L
57 E8 C4 F6-05 3D 27 98-74 29 5D 1C-A8 44 ED 87  Wш─Ў♣='Шt)]∟иDэЗ
F4 86 98 5F-4B A8 13 BA-5A FE 8F 90-FF C0 41 F0  ЇЖШ_Kи‼║Z■ПР └AЁ
CC D9 60 4D-F5 C3 42 29-19 88 95 72-10 64 6F 00  ╠┘`Mї├B)↓ИХr►do
22 8E 49 1C-28 CE DC AC-AA 1B 61 A3-97 2F 76 00  "ОI∟(╬▄мк←aгЧ/v
7E 1C ED 05-7D FC A3 96-A9 8A E4 57-6F 10 3A 2F  ~∟э♣}№гЦйКфWo►:/
56 3B EA EB-1E CE 41 93-61 B2 FC 09-10 30 4F 00  V;ъы▲╬AУa▓№○►0O
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-01 00 01 05              ☺ ☺♣
10 00 00 00-62 31 65 31-35 64 38 61-36 63 36 34  ►   b1e15d8a6c64
34 39 30 33-08 80 00 00-00 82 76 EE-86 35 91 59  4903◘А   ВvюЖ5СY
EF 72 28 0F-6A AB 99 33-4B 18 22 3F-AA 66 69 78  яr(☼jлЩ3K↑"?кfix
79 25 65 5D-15 B5 00 7A-B8 5A 79 F6-CF E1 71 C3  y%e]§╡ z╕ZyЎ╧сq├
EB F9 D4 95-2E 2B E9 C8-C5 81 3E 65-FB 19 EA 79  ы∙╘Х.+щ╚┼Б>e√↓ъy
A1 38 B4 06-0B AF A5 02-6C 19 65 BA-5C 2C 51 BE  б8┤♠♂пе☻l↓e║\,Q╛
05 11 4C 8C-24 54 E5 2A-BC 4A 74 01-1C F3 51 6A  ♣◄LМ$Tх*╝Jt☺∟єQj
1D 91 2E A1-05 02 5C 58-AA 5F F2 C7-A3 F5 08 3D  ↔С.б♣☻\Xк_Є╟гї◘=
BE 3E 3C 8F-09 DB FE DD-B3 8C D5 9B-23 8B 11 AA  ╛><П○█■▌│М╒Ы#Л◄к
CA C5 48 8A-C7 A5 D1 F6-1B 00 00 00-00 00 00 07  ╩┼HК╟е╤Ў←      •

Depending on the Trojan configuration, it establishes a connection with the command and control server itself or waits for an incoming connection request. Once connected, the backdoor executes the commands it receives and periodically sends the following information to cybercriminals:

  • Name and version of the operating system;
  • User name;
  • Availability of root privileges;
  • MAC addresses of all available network interfaces;
  • IP addresses of all available network interfaces;
  • External IP address;
  • CPU type;
  • RAM amount;
  • Data about the malware version and its configuration.

Information, which is shared between the Trojan and the C&C server, is encrypted with the 3DES algorithm. The backdoor can execute the following commands:

commandParameterValue
0x200file manager execute commands of the file manager
1 - list dir (ls -la *) receive a list of the contents of a specified directory
2 - read fileread a file
3 - write filewrite to a file, it also can write data to a file for an update
4 - list file (ls -la file)get the contents of a file
5 - chmod/chown/renameexecute CHMOD, CHOWN and RENAME commands
6 - delete file delete a file
7 - mkdir create a directory
0x300 execute a command in the bash shell
0x400 update the Trojan
0x500 reinstall the Trojan
0x800 change the command and control server’s IP address
0x900 install a plug-in

News about the Trojan

Raccomandazioni per il ripristino del sistema


macOS

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number