Home / malware Backdoor:MacOS_X/Imuler.A
First posted on 30 January 2013.
Source: MicrosoftAliases :
There are no other names known for Backdoor:MacOS_X/Imuler.A.
Explanation :
Backdoor:MacOS_X/Imuler is a backdoor trojan that allows remote attackers unauthorized access and control of your Mac.
The backdoor is in a fat Mach-O binary format, serving two architectures, enabling it to run in both PowerPC (ppc) and i386-based Macs.
Installation
When executed, the backdoor trojan copies itself as 'checkvir' in this location:
~/library/LaunchAgents/checkvir
To ensure the backdoor automatically runs on your computer, it installs a file in the LaunchAgents directory as follows:
~/library/LaunchAgents/checkvir.plist
The property list file (.plist) ensures that the backdoor runs when you log on to your Mac.
Payload
Allows backdoor access and control
Once installed, Backdoor:MacOS_X/Imuler will attempt to connect to this remote host:
teklimakan<dot>org
It downloads a command-line tool called 'CurlUpload' to your temporary folder as:
~/tmp/CurlUpload
The backdoor will later use this tool to upload gathered information.
An attacker can perform any number of different actions on an affected computer using Backdoor:MacOS_X/Imuler. This could include, but is not limited to, the following actions:
- Gather information about your computer
- Upload and download files
- Delete files
- Retrieve IP address
- Receive, store and read remote instructions
- Run shell scripts
- Store files in a compressed format
- Uncompress files
- Capture screen shots
- Store remote host configuration
Analysis by Methusela Cebrian Ferrer
Last update 30 January 2013