A backdoor for OS X distributed via spam mailings. Messages are written in Uighur and contain the matiriyal.zip archive. The backdoor itself is the matiriyal.app application with the PDF icon.
Once launched, the backdoor copies itself to Library/launched and creates a configuration file in ~/Library/LaunchAgents/com.apple.FolderActionsxl.plist to ensure its own autorun on system startup.
Then the malware establishes a connection to the command and control server at 22.214.171.124 and sends it the following data:
- OS version
- RAM amount
- User name
- Computer name
After that, the malicious program waits for commands from the server.