MacCinema is the latest OS X threat that is first identified by SEO Ireland, while they were auditing there sites . It’s not really new, it is an update of MacAccess although this time it uses different strings and clever obfuscation but overall the installation and behavior remains the same.
So, here’s the fixed one…
This will output script below…
Notice the IP Address “18.104.22.168″- This is the backdoor IP which executed through cronjob. The backdoor is responsible for executing or installing “DNSChanger” which will change or add malicious DNS entries : 22.214.171.124, es : 126.96.36.199
Notice “enialbdivad 777 nigeb”, obviously we have to fix again ….
To fill up our curiosity, here’s the final deobfuscated script.
To remove this threat, just follow MacAccess removal instruction.