A Trojan for OS X installed by Mac.Trojan.VSearch.2.
It includes the following components:
During installation, the Trojan performs the following actions that are specified in the install_updater.sh script:
- Generates a random name of the Trojan and adds the “Upd” value to it (which is then referred to as the appName value).
- Records the appName value into the “/Library/Preferences/com.common.plist” file using the name_upd key.
- Creates the “/Library/Preferences/com.appName.preferences.plist” file.
- Records the following parameters into this file:
- An executable file is copied to /Library/appName.
- The Trojan’s executable file is launched using the launchctl load command.
At launching, the malicious program decrypts several parameters necessary for its operation. The Trojan then reads the /Library/Preferences/com.common.plist file in order to determine a location of a configuration file that contains additional parameters. Once the parameters are obtained, the Trojan generates the URL that looks as follows:
In return, the malware program receives a link that is used to download a script. The script is then executed in the system.
The Trojan re-downloads and executes the script every day. Mac.Trojan.VSearch.4 can generate several addresses to download a payload. In total, Doctor Web specialists registered 406 possible variants.
This script is used to download Mac.Trojan.VSearch.7 from the server and launch it. In addition, applying this script, Mac.Trojan.VSearch.4 can set the Trovi server as a default search engine and download a search plug-in for Safari, Chrome, and Firefox. Dr. Web detects this plug-in as an unwanted application named Program.Mac.Unwanted.BrowserEnhancer.1.