May 12, 2017
The Trojan backdoor has been added to the Dr.Web virus databases under the name Mac.BackDoor.Systemd.1. Once launched, it prints to the console a message that contains a misprint—“This file is corrupted and connot be opened”—and restarts itself as a daemon called systemd. In addition, Mac.BackDoor.Systemd.1 attempts to hide its file by marking it with the appropriate flags. Then the Trojan creates a file using SH commands and a PLIST file in order to register itself in the autorun.
The Trojan stores encrypted information in its own file. This information determines whether Mac.BackDoor.Systemd.1 establishes a connection with the command and control server itself or waits for an incoming connection request. Once connected, the backdoor executes the commands it receives and periodically sends the following information to cybercriminals:
- Name and version of the operating system;
- User name;
- Availability of root privileges;
- MAC addresses of all available network interfaces;
- IP addresses of all available network interfaces;
- External IP address;
- CPU type;
- RAM amount;
- Data about the malware version and its configuration.
The Trojan has its own file manager, which allows cybercriminals to execute various actions with files and folders on the infected computer. The backdoor can execute the following commands:
- Receive a list of the contents of a specified directory;
- Read a file;
- Write to a file;
- Get the contents of a file;
- Delete a file or folder;
- Rename a file or folder;
- Change the privileges for a file or folder (chmod command);
- Change the owner of a file object (chown command);
- Create a folder;
- Execute a command in the bash shell;
- Update the Trojan;
- Reinstall the Trojan;
- Change the command and control server’s IP address;
- Install a plug-in.
Mac.BackDoor.Systemd.1 is successfully detected and removed by Dr.Web products for Mac, and, therefore, it poses no threat to our users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.