Tweet

A Domain Naming System (DNS)-changing Trojan targeting Macs is currently making the rounds disguised as MacCinema Installer (detected by Trend Micro as OSX_JAHLAV.D. This is the latest variant of OSX_JAHLAV.C, which was identified in June.

The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as:

• allincorx
• bigdron
• cikaredo
• civilizxx
• comeandtryx
• deribrowns
• draxxtermania
• givendream
• hitrowzone
• jumborad
• ltdkeeper
• operationelx
• oxxadox
• paxxtiger
• rednetx
• rstdeals
• simplexdoom
• sinisteer
• tdenuwas
• tniredrum
• ufapeace

If infected, a victim’s Web traffic can then be diverted to the website of the attacker’s choosing.

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

Trend Micro Advanced Threats Researcher Feike Hacquebord notes the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts.

It would serve Mac users well to stay away from the above-mentioned domains and IP addresses or be wary of prompts to download software updates that do not come from Apple’s legitimate website.

Mac users are protected by the Smart Protection Network through Trend Micro Security for Mac and Smart Surfing for Mac.