OSX/XSLCmd [Threat Name] go to Threat
OSX/XSLCmd.A [Threat Variant Name]
Category | trojan |
Size | 115984 B |
Aliases | Backdoor.OSX.Belfibod.a (Kaspersky) |
OSX.Slordu (Symantec) | |
MacOS:XSLCmd-A (Avast) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %home%/Library/LaunchAgents/clipboardd
- /Library/Logs/clipboardd
The following files may be dropped:
- %home%/Library/LaunchAgents/com.apple.service.clipboardd.plist
- /Library/LaunchAgents/com.apple.service.clipboardd.plist
This way the trojan ensures that the file is executed on every system start.
The trojan attempts to modify the following files:
- /bin/ssh
The trojan creates the following folders:
- %home%/.fontset
The trojan may create the following folders:
- %home%/Library/Logs/BackupData
The trojan may create the following files:
- %home%/.fontset/pxupdate.ini
- %home%/.fontset/chkdiska.dat
- %home%/.fontset/chkdiskc.dat
The trojan may execute the following commands:
- launchctl load com.apple.service.clipboardd.plist
After the installation is complete, the trojan deletes the original executable file.
Information stealing
OSX/XSLCmd.A is a trojan that steals sensitive information.
The following information is collected:
- operating system version
- user name
- computer name
- the path to specific folders
- file(s) content
- the list of installed software
The trojan is able to log keystrokes.
The trojan searches for files with the following file extensions:
- .doc
- .docx
- .ppt
- .pptx
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTP protocol is used.
It can execute the following operations:
- execute shell commands
- stop itself for a certain time period
- send gathered information
- capture screenshots
- log keystrokes
- update itself to a newer version
- set file attributes
- delete files
- remove itself from the infected computer
- connect to remote computers to a specific port
- send gathered information