Trojan.MAC.MacDownload.A (BitDefender), OSX.Addkeysteal (Symantec), OSX/MacDownloader.A (ESET-NOD32)
Mac OS
Downloaded from the Internet
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible.
290,416 bytes
Mach-O
No
07 Feb 2017
Displays message/message boxes
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Information Theft
This spyware gathers the following data:
Stolen Information
This spyware saves the stolen information in the following file:
Other Details
This spyware connects to the following website to send and receive information:
However, as of this writing, the said sites are inaccessible.
NOTES:
This malware displays a fake Adobe Flash Player installer:
After the user clicked the Update Flash-Player it displays the following fake warning window:
After the user clicks OK, the malware displays the window below to obtain the password directly from the user:
After the user types the correct password, it displays the window:
9.850
13.210.04
08 Feb 2017
13.211.00
09 Feb 2017
Step 1
Scan your computer with your Trend Micro product to clean files detected as OSX_STEALKYS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 2
Search and delete these files