Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

Doctor Web specialists find new Mac backdoor

May 12, 2017

Doctor Web security researchers have detected and examined a new Trojan for Apple macOS that executes commands issued by cybercriminals.

The Trojan backdoor has been added to the Dr.Web virus databases under the name Mac.BackDoor.Systemd.1. Once launched, it prints to the console a message that contains a misprint—“This file is corrupted and connot be opened”—and restarts itself as a daemon called systemd. In addition, Mac.BackDoor.Systemd.1 attempts to hide its file by marking it with the appropriate flags. Then the Trojan creates a file using SH commands and a PLIST file in order to register itself in the autorun.

The Trojan stores encrypted information in its own file. This information determines whether Mac.BackDoor.Systemd.1 establishes a connection with the command and control server itself or waits for an incoming connection request. Once connected, the backdoor executes the commands it receives and periodically sends the following information to cybercriminals:

  • Name and version of the operating system;
  • User name;
  • Availability of root privileges;
  • MAC addresses of all available network interfaces;
  • IP addresses of all available network interfaces;
  • External IP address;
  • CPU type;
  • RAM amount;
  • Data about the malware version and its configuration.

The Trojan has its own file manager, which allows cybercriminals to execute various actions with files and folders on the infected computer. The backdoor can execute the following commands:

  • Receive a list of the contents of a specified directory;
  • Read a file;
  • Write to a file;
  • Get the contents of a file;
  • Delete a file or folder;
  • Rename a file or folder;
  • Change the privileges for a file or folder (chmod command);
  • Change the owner of a file object (chown command);
  • Create a folder;
  • Execute a command in the bash shell;
  • Update the Trojan;
  • Reinstall the Trojan;
  • Change the command and control server’s IP address;
  • Install a plug-in.

Mac.BackDoor.Systemd.1 is successfully detected and removed by Dr.Web products for Mac, and, therefore, it poses no threat to our users.

More about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040