Most recently, we have come across a new variant of OSX.Macontrol (first seen in March 2012). This current sample appears to be spread through targeted email and has a very low distribution rate. The binary [md5 - e88027e4bfc69b9d29caef6bae0238e8] is small in size (75kB) and provides little functionality other than a backdoor to a remote host (18.104.22.168x).
The web server appears to be a custom HTTP command and control server that can collect and modify system settings. HTTP command and control allows the attacker to evade detection by sending commands that appear to be clean, normal web traffic.
OSX.Macontrol has the ability to:
- Close the connection to the remote location and end the threat
- Collect information regarding the compromised computer and send it back to the remote server
- Send the process list of the compromised computer to the remote server
- End processes
- Fork running processes
- Retrieve the install path of the Trojan
- Delete files
- Run files
- Send files to the remote server
- Send user status and information to the remote server
- Log out the current user
- Put the compromised computer to sleep
- Restart the compromised computer
- Shut down the compromised computer
===> To ensure that you are protected, please make sure your AV definitions are always up to date. Also, please do not download or open attachments from senders that you do not recognize. <===
Symantec Note: We were able to connect with Apple and they stated they updated their OS X malware definitions recently to address this version of Macontrol.