SHA1
c7bcab5152e992e7057a102aca1815a81ebd0ade
5d896639ad59246c426c0e13b8785b067bacb4b9
4b26f00c484c772b8ad2596a5cdcc9624963c6ac
26cd1823b905d4be4427ae6ce22c6756fe3d4988
A Trojan for OS X designed to install other malicious and dangerous applications. It is spread as a file appended with the .pkg extension.
The installer includes the following components:
- NicePlayer.pkg
- Plugins
- Resources
- [TOC].xml
- Distribution
- Scripts
The Plugins folder contains the Trojan who reads the ID number of the Trojan’s distributor from the Plugins\Offers.bundle\Contents\Resources\dc.txt text file and sends a request to the C&C server in order to get a list of components to be installed.
Once the installer is launched, the user sees a standard greeting on the screen. When they click “Continue”, Mac.Trojan.VSearch.2 should display a list of components that the user can install in addition to the desired application. This dialog usually prompts the user to choose necessary modules form the list. However, in fact, it is not the case because the installer skips this step and moves to the next stage prompting the user to specify the installation folder. At that, the Trojan is set as if the user themselves checked all offered components.
Then the preinstall script is launched from the NicePlayer.pkg folder. This script checks the system for the presence of a virtual machine and sends a request to the server in order to obtain a script for components installation. The script is saved as install_unit.sh.
The Trojan is currently known to install the following components using this script:
- Client Updater - Mac.Trojan.VSearch.4
- Trovi - Mac.Trojan.Conduit
- MacKeeper - Program.Mac.Unwanted.MacKeeper
- ZipCloud - Program.Mac.Unwanted.ZipCloud
- Nice Player – an application that the user initially intended to install
