A backdoor targeting OS X. The Trojan is written in С++ and Lua and uses encryption extensively.
Depending on the type of the data received, the backdoor can execute numerous commands. Moreover, it can also execute Lua scripts. Basic commands used for the received Lua scripts are encrypted as follows:
socks
system
httpget
httpgeted
rand
sleep
banadd
banclear
p2plock
p2punlock
nodes
lea
fs
unknowns
p2pport
p2pmode
p2ppeer
port
p2ppeertype
set
get
clear
platform
script
uptime
uid
ver
addnBasic backdoor commands for Lua scripts can be used to perform the following actions:
- Get the OS type
- Get the bot version
- Get the bot UID
- Get a value from the configuration file
- Set a parameter value in the configuration file
- Remove all parameters from the configuration file
- Get the bot uptime
- Send a GET request
- Download a file
- Open a socket for an inbound connection and then execute the received commands
- Execute a system command
- Go to sleep mode
- Add a node IP to the list of banned nodes
- Clear the list of banned nodes
- Get the node list
- Get a node IP
- Get a node type
- Get a node port
- Execute a nested Lua script
Currently, the following features are available (in addition to functions performed with Lua scripts):
- Send the UID
- Send the information about the open port
- Add new bots (those that are already connected and those whose addresses are received in the command) to the node list
- Relay traffic (data received via one socket is relayed to another socket without any alterations)
- Connect to the host specified in the command
- Execute Lua scripts
