Doctor Web specialists find new Mac backdoor
May 12, 2017
The Trojan backdoor has been added to the Dr.Web virus databases under the name Mac.BackDoor.Systemd.1. Once launched, it prints to the console a message that contains a misprint—“This file is corrupted and connot be opened”—and restarts itself as a daemon called systemd. In addition, Mac.BackDoor.Systemd.1 attempts to hide its file by marking it with the appropriate flags. Then the Trojan creates a file using SH commands and a PLIST file in order to register itself in the autorun.
The Trojan stores encrypted information in its own file. This information determines whether Mac.BackDoor.Systemd.1 establishes a connection with the command and control server itself or waits for an incoming connection request. Once connected, the backdoor executes the commands it receives and periodically sends the following information to cybercriminals:
- Name and version of the operating system;
- User name;
- Availability of root privileges;
- MAC addresses of all available network interfaces;
- IP addresses of all available network interfaces;
- External IP address;
- CPU type;
- RAM amount;
- Data about the malware version and its configuration.
The Trojan has its own file manager, which allows cybercriminals to execute various actions with files and folders on the infected computer. The backdoor can execute the following commands:
- Receive a list of the contents of a specified directory;
- Read a file;
- Write to a file;
- Get the contents of a file;
- Delete a file or folder;
- Rename a file or folder;
- Change the privileges for a file or folder (chmod command);
- Change the owner of a file object (chown command);
- Create a folder;
- Execute a command in the bash shell;
- Update the Trojan;
- Reinstall the Trojan;
- Change the command and control server’s IP address;
- Install a plug-in.
Mac.BackDoor.Systemd.1 is successfully detected and removed by Dr.Web products for Mac, and, therefore, it poses no threat to our users.
Your opinion counts
Sign in or register to comment on our news posts and take advantage of other benefits available to registered users. You will be awarded one Dr.Webling per comment. You can exchange your Dr.Weblings for gift certificates that can be used to purchase Dr.Web at a discount.