A Trojan for OS X designed to install other malicious and dangerous applications. It is spread as a file appended with the .pkg extension.
The installer includes the following components:
The Plugins folder contains the Trojan who reads the ID number of the Trojan’s distributor from the Plugins\Offers.bundle\Contents\Resources\dc.txt text file and sends a request to the C&C server in order to get a list of components to be installed.
Once the installer is launched, the user sees a standard greeting on the screen. When they click “Continue”, Mac.Trojan.VSearch.2 should display a list of components that the user can install in addition to the desired application. This dialog usually prompts the user to choose necessary modules form the list. However, in fact, it is not the case because the installer skips this step and moves to the next stage prompting the user to specify the installation folder. At that, the Trojan is set as if the user themselves checked all offered components.
Then the preinstall script is launched from the NicePlayer.pkg folder. This script checks the system for the presence of a virtual machine and sends a request to the server in order to obtain a script for components installation. The script is saved as install_unit.sh.
The Trojan is currently known to install the following components using this script:
- Client Updater - Mac.Trojan.VSearch.4
- Trovi - Mac.Trojan.Conduit
- MacKeeper - Program.Mac.Unwanted.MacKeeper
- ZipCloud - Program.Mac.Unwanted.ZipCloud
- Nice Player – an application that the user initially intended to install