A slightly modified variant of MacCinema was spotted in “MacPlay.dmg”. Once you execute it, it will still display MacCinema installer. However, few modification was found in preinstall & preupgrade scripts as shown in Figure 01.
Obviously, attackers are trying to maximize these threats. The obfuscated data will extract another script, which we already seen it from previous variant.
This Trojan has been in-the-wild for months now and as it continuously proliferates in the internet, new Macintosh users are often found falling into its tricks.
Stay away from this threat!