This malware may be downloaded unknowingly by a user when visiting malicious Web site(s).
It may arrive on a system as a file downloaded unknowingly by a user when visiting malicious websites. The said website encourages users to download a software needed to play a video on the said site.
It arrives as ActiveXsetup.dmg, which is a MAC OS X mountable Disk Image file. It contains a .PKG file which contains its malicious script and its component files.
Two of these files are the following identical malicious scripts, which are detected by Trend Micro as UNIX_JAHLAV.B:
Upon execution of this .DMG file, it displays the following installation GUI entitled MacCinema:
Once installation is finished, the following files are added on the system:
- /Library/Internet Plug-Ins/AdobeFlash
- /Library/Internet Plug-Ins/Mozillaplug.plugin
In the background, while the installer is running, this malware executes the malicious scripts Install.pkg\Contents\Resources\preinstall and Install.pkg\Contents\Resources\preupgrade.
These scripts are obfuscated using SED commands and UUEncode, that, when decrypted, contains the following:
This script copies itself into /Library/Internet Plug-Ins/AdobeFlash and then creates a cron job that enables this malware to execute periodically every 5 minutes.
It also contains another obfuscated script:
The said script contains yet another script which is detected as PERL_JAHLAV.B:
This Perl script will send an HTTP GET request to the following IP address to download another malicious Perl script:
However the site is inaccessible as of this writing.
This malware runs on MAC OS X.
Analysis By: Karl Dominguez