Categories: BlackHole, Computers

Latest Threat: MacCinema

maccinemaMacCinema is the latest OS X threat that is first identified by SEO Ireland, while they were auditing there sites . It’s not really new, it is an update of MacAccess although this time it uses different strings and clever obfuscation but overall the installation and behavior remains the same.

preinstall

So, here’s the fixed one…

This will output script below…

Notice the IP Address “213.163.64.78″- This is the backdoor IP which executed through cronjob. The backdoor is responsible for executing or installing “DNSChanger” which will change or add malicious DNS entries : 85.255.112.81, es : 85.255.112.114

integostrikesagainNotice “enialbdivad 777 nigeb”, obviously we have to fix again ….

To fill up our curiosity, here’s the final deobfuscated script.

final

To remove this threat, just follow MacAccess removal instruction.

Please follow and like us:
@ ithreats.net