Home / malware OSX.Salgorea
First posted on 26 February 2016.
Source: SymantecAliases :
There are no other names known for OSX.Salgorea.
Explanation :
When the Trojan is executed, it creates one of the following files: /Library/Logs/.Logs/corevideosd~/Library/Logs/.Logs/corevideosd
Next, the Trojan modifies one of the following files so that it runs every time Mac OS X starts: /Library/LaunchAgents/com.google.plugins.plist~/Library/LaunchAgents/com.google.plugins.plist
The Trojan then connects to the following remote location to download and execute files:[http://]kiifd.pozon7.net/sigst[REMOVED]
Next, the Trojan connects to one of the following remote locations through TCP port 443:shop.ownpro.netpad.werzo.net
The Trojan may then perform the following actions: Create, list, and end processesDelete and copy filesShow contents of filesList contents of foldersCapture screenshotsGather list of recently opened documents and windowsLast update 26 February 2016
