OSX/HellRTS [Threat Name] go to Threat

OSX/HellRTS.AA [Threat Variant Name]

Category trojan
Size 3307783 B
Aliases Backdoor.OSX.Reshe.a (Kaspersky)
  OSX.HellRTS (Symantec)
  Trojan:Win32/Bumat!rts (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the %home%/Library/%variable1% folder using the following name:

  • %variable2%.app

A string with variable content is used instead of %variable1-2% .

The trojan modifies the following file:

  • %home%/Library/Preferences/loginwindow.plist

This causes the trojan to be executed on every system start.

Information stealing

The trojan displays the following dialog box:

The goal of the malware is to persuade the user to fill in personal information.

The trojan collects the following information:

  • login name
  • login password
  • data from the clipboard

The trojan attempts to send gathered information to a remote machine.

The HTTP, FTP, SMTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

It can execute the following operations:

  • capture screenshots
  • send files to a remote computer
  • download files from a remote computer and/or the Internet
  • various file system operations
  • run executable files
  • execute shell commands
  • shut down/restart the computer
  • log off the current user
  • send data to the printer
  • open a specific URL address
  • change the sound volume
  • open the CD/DVD drive
  • play sound/video
  • watch the user's screen content

The trojan opens TCP port 24745 .

The trojan can hide its Dock icon.

Please enable Javascript to ensure correct displaying of this content and refresh this page.