Yesterday, ESET announced the discovery of a new threat against the Apple Mac OS X platform. Today, we have found a new version of the same threat. The new version is similar to the previous version with two important differences. The first addition to this threat is that it now implements persistence on an infected system. It also has updated command and control information.
OSX/Tsunami.A now has the ability to copy itself to
/usr/sbin/logind. It then creates a file named
/System/Library/LaunchDaemons/com.apple.logind.plist with the content shown in the following screenshot to ensure that the malicious binary is started after each reboot.
Although the samples we have received come from two different countries on two different continents, our telemetry data still indicates that there are very few hosts infected with this malware.
It is our belief that the people behind this threat are in the process of testing their creation. They are probably adapting the code, originally written for Linux, to the OS X platform. We are still unaware of any specific infection vector for this threat. It can be installed manually by an attacker or in an automated way.
Senior Malware Researcher
Leave a reply