Backdoor:OSX/Imuler.A

Classification

Malware

Backdoor

OSX

Backdoor:OSX/Imuler.A

Summary

Backdoor:OSX/Imuler.A contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.

Removal

Automatic action

The F-Secure security product will automatically remove the file.

Manual removal

  1. Open Activity Monitor
  2. Select checkvir then click Quit Process
  3. Delete the following files:
    • ~/library/LaunchAgents/checkvir
    • ~/library/LaunchAgents/checkvir.plist
    • ~/library/.confback
Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Backdoor:OSX/Imuler.A may be variously dropped or installed onto a system by variants in the Trojan-Dropper:OSX/Revir family.

Installation

Upon execution, the backdoor drops a copy of itself to the following location:

  • ~/library/LaunchAgents/checkvir

It creates the following launch point:

  • ~/library/LaunchAgents/checkvir.plist

It also creates the following file, containing its Command and Control, or C&C, server:

  • ~/library/.confback

Network Connections

The malware downloads a command line tool from the external site

  • http://%server%/CurlUpload

Note: As of this writing, %server% can be any of the following -

  • www. sugarsbutters.com
  • www. teklimakan.org

The downloaded file is then saved as:

  • /tmp/CurlUpload

The malware obtains the external IP address and current time by connecting to the following URLs:

  • http://%server%/cgi-mac/whatismyip.cgi
  • http://%server%/cgi-mac/2wmthetime.cgi

It collects system information, then uploads the collected information to the following location:

  • http://%server%/cgi-mac/2wmrecvdata.cgi

Collected information includes the following:

  • Internal IP
  • External IP
  • Username of the infected user
  • Time of last execution
  • Kernel version of the infected host

The malware then makes a HTTP POST request containing the%botid% to the following URLs, presumably to report that the infected host is ready to receive commands:

  • http://%server%/cgi-mac/2wmcheckdir.cgi
  • http://%server%/cgi-mac/2wmsetstatus.cgi

Backdoor

The malware contacts a remote server (the C&C server) to get its instructions. The URL is based on the following formula:

  • http://%server%/users/%botid%/xnocz1

Where:

  • %botid% - Is composed of:%user%%pad%%mac%
    • %user% - Are the first 8 characters of the username of the infected user ("XXXXXXXX" if username is longer than 8 characters)
    • %pad% - Is a series of "X" characters to make %botid% 20 characters long
    • %mac% - Is the MAC address of the machine

Based on the instructions received, the backdoor is capable of performing the following actions:

  • Download additional files
  • Execute files on the infected host
  • Collect system information then upload to the C&C
  • Collect files to an archive, then upload it to the C&C server
  • Capture an image of the computer screen, then upload it to the C&C

After receiving the commands, the malware makes a HTTP HEAD request the to following URL, presumably to report that the infected host has successfully receive the commands:

  • http://%server%/cgi-mac/2wmdelfile.cgi

Date Created: -

Date Last Modified: -