This malware may arrive on a system as a file downloaded unknowingly by a user when visiting malicious Web sites. The said Web site encourages users to download software needed to play the video on the said site.
It arrives as a .DMG file, which is a Mac OS X mountable Disk Image file. It contains a .PKG file, which contains component files.
Some of these files are the following malicious files:
Upon execution, it displays the following MacVideo installation GUI:
It then asks for user credentials:
Once the installer finished installing, the following files are added on the system:
- /Library/Internet Plug-Ins/AdobeFlash
- /Library/Internet Plug-Ins/Mozillaplug.plugin
In the background, while the installer is running, this malware executes the following BASH scripts which are identical:
These scripts are obfuscated by SED command and contain UUEncoded data:
The said scripts then drop the file i386 in the root directory, which contains another UUEncoded data and some SED codes. Upon execution, this file decrypts itself and executes the command CRONTAB to setup a cron job and run the dropped file, /Library/Internet Plug-Ins/AdobeFlash. The said file contains almost the same data with preinstall and preupgrade scripts. It also executes an embedded PERL script. It then deletes itself after execution.
When the PERL script is executed, it connects to the following servers to send HTTP GET requests together with the infected machine's hostname to download another script file:
The downloaded script is then saved in \TMP directory.
The said file contains another UUEncoded data and some SED codes. Upon execution, this script modifies the DNS settings to the following malicious DNS servers using SCUTIL GET and SET commands:
As a result, users may be redirected to phishing sites or sites where other malware can be downloaded.
This malware runs on Mac OS X.
Analysis By: Karl Dominguez
Updated By: Jasper Manuel