This Trojan may be downloaded from the following remote site(s):
It may be downloaded unknowingly by a user when visiting malicious Web site(s).
It arrives as .DMG file, which is a MAC OS X mountable disk image file. It contains a .PKG file which contains component files that may have the following names:
- Preinstall - also detected as OSX_RSPLUG.E
- Preupgrade - also detected as OSX_RSPLUG.E
Once this installer is executed, it displays the following graphical user interface installation window:
After installation, the following files can be found present on the affected system:
- /Library/Internet Plug-Ins/Mozillaplug.plugin
- /Library/Internet Plug-Ins/AdobeFlash
Note that while the installation is in progress, in the background, this malware executes the following scripts:
These scripts are found to be obfuscated by the SED command and UUEncoded. If decrypted, the code contains the following:
The said script copies itself into the /Library/Internet Plug-Ins/AdobeFlash folder and then creates a cron job that enables the malware to execute periodically every five minutes.
It also contains a chain of scripts that is embedded on itself. Below is a screenshot of this script:
Below is a screenshot of a PERL script that sends a HTTP GET request to download another PERL script.
The script is saved as the following:
Trend Micro already detects as OSX_DNSCHNGR.E.
This PERL script is also found to contain obfuscated data using UUEncode and SED. The following screenshot shows the codes when decrypted:
Once executed, this script connects to the following IP addresses as a DNS primary server using the SCUTIL GET and SET commands:
As a result, users may be redirected to phishing sites or sites where other malware can be downloaded. Note that the IP addresses may change depending on the downloaded script.
It runs on Max OS X.
Analysis By: Karl Dominguez