OSX/HackBack [Threat Name] go to Threat

OSX/HackBack.A [Threat Variant Name]

Category trojan
Size 200944 B
Detection created May 20, 2013
Signature database version 8352
Aliases Backdoor:MacOS_X/HackBack.A (Microsoft)
  OSX.Hackback (Symantec)
  MacOS:Kitmos-C (Avast)
Short description

OSX/HackBack.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


The trojan adds itself to the list of Login Items.


This causes the trojan to be executed on every system start.


The trojan keeps various information in the following files:

  • FileBackup.ini
Information stealing

OSX/HackBack.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • file(s) content

The trojan searches local drives for files with the following file extensions:

  • .txt
  • .doc
  • .docx
  • .eml
  • .emlx
  • .fdf
  • .fdr
  • .pdf
  • .jpg
  • .jpeg
  • .xls
  • .xlsx
  • .fdx
  • .idx
  • .knt
  • .kwd
  • .log
  • .lst
  • .lwp
  • .mbox
  • .msg
  • .mw
  • .pages
  • .wpr
  • .tiff
  • .ppt
  • .pptx

Files are then compressed into ZIP archive and stored in the following location:

  • /tmp/

The trojan attempts to send the collected files to a remote machine.


The trojan contains a URL address. The HTTP protocol is used.

Other information

The trojan creates the following files:

  • state.dat
  • Date.dat
  • Fail.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.