arrow_back
search
close

OSX_SEADOOR.A

July 06, 2017
 PLATFORM:

Mac OS X

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

2,238,993 bytes

File Type:

Mach-O

Memory Resident:

Yes

Initial Samples Received Date:

20 Sep 2013

Payload:

Displays graphics/image

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

  • {BLOCKED}esmsc.sytes.net via port 7777

As of this writing, the said servers are currently inaccessible.

NOTES:

It adds the following Property List file to be able to execute at system startup:

  • /Users/{Current Username}/Library/LaunchAgent/UserEvent.System.plist

The said .plist file execute and let it stay in running in memory the following file:

  • /User/Shared/UserEvent.app/Contents/MacOS/UserEvent

Upon initial execution, it displays the following image:

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

10.290.02

FIRST VSAPI PATTERN DATE:

20 Sep 2013

NOTES:

Restart in Safe Mode.

Restart your machine.

Hold the Shift button, before the Apple Bootup Logo appears.

Deleting Malware File

To do this, locate and delete the following files in the /Users/Shared folder:

  • UserEvent

Deleting Autostart .plist file

In the Terminal application, type the following then press Enter:

  • rm /Users/{Current Username}/Library/LaunchAgent/UserAgent.System.plist

    • (Note: The aforementioned path is case sensitive and may vary from system to system.)

Restart your machine normally.

Scan your computer with your Trend Micro product to delete files detected as OSX_SEADOOR.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.