OSX_KITM.A

May 23, 2013
 Analysis by: Jaime Benigno Reyes
 ALIASES:

Backdoor:MacOS_X/Kitmos.A (Microsoft), OSX/Kitmos (McAfee), OSX.Kitmos (Symantec)

 PLATFORM:

Mac OS X

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

471,232 bytes

Memory Resident:

No

Initial Samples Received Date:

17 May 2013

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • /Users/{user name}/MacApp/{yy-MM-dd-HH:mm:ss}.png - screenshots

It creates the following folders:

  • /Users/{user name}/MacApp

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}tytable.org/lang.php
  • http://{BLOCKED}rum.info/lang.php

NOTES:
This malware can take screenshots and upload them to a remote server.