About:
OSX/MusMinim-A is a Remote Access Trojan (RAT) for the OSX platform, which is also known as BlackHole RAT.
OSX/MusMinim-A's main threat component is a backdoor, which acts as the server half of a client-server pair of applications.
BlackHole RAT Client.app
BlackHole RAT Server.app
Both the server and the client components are detected by Sophos as OSX/MusMinim-A.
OSX/MusMinim-A includes functionality to provide a remote attacker with the following capabilities:
- Place a text file on the desktop
- Send a restart, shutdown or sleep command
- Run an arbitrary shell command
- Place a full screen window with a message that only allows you to click reboot
- Send a URL to be opened on the infected machine
- Display a fake "Administrator Password" window to phish the administrator credentials on the infected machine
Systems infected by BlackHole Rat Server.app can be directed to any arbitrary URL as commanded by an operator connected to the server via BlackHole Rat Client.app.
Note: Folders with an .app extension are treated specially on OS X. .App folders are actually Application bundles. On OS X, most Applications in the /Applications directory are Application Bundle directories themselves. When a user double clicks on an .app directory (or opens them via Terminal), the loader knows to launch the executable within these folders instead of showing the folder's contents. The actual file that contains the executable code lies contained somewhere inside of that directory.
If you wish to see the contents of these directories, you can navigate into these directories by CDing into them via Terminal, or right-click "Show Package Contents."
The actual file executed is specified in Contents/Info.plist. This is a special type of XML file that provides information about this Application bundle, including what file to execute when this bundle is launched.
For BlackHole RAT Client.app, the executable is:
BlackHole RAT Client.app/Contents/MacOS/BlackHole RAT Client, a Mach-O i386 executable (developed using RealBasic)
For BlackHole RAT Server.app, the executable is:
BlackHole RAT Server.app/Contents/MacOS/BlackHole RAT Server, which again is a Mach-O i386 executable (developed using RealBasic)
When running, systems infected with the server component may have the following ports open:
tcp:7777
tcp:7779
tcp:7780
tcp:7781
tcp:7782
tcp:9999
tcp:10000
tcp:10001
tcp:10004
tcp:10005
OSX/MusMinim-A lacks even basic authentication or encryption between the client and the server. As a result, any text sent to port tcp:7782 on the server, will result in the server presenting that text in a pop-up on the infected system.
If the server is running on a NAT-enabled network, the corresponding client component could only connect from the local network.
This threat does not spread or install itself, so unless an attacker has specifically added a startup script or cron, simply restarting your system will likely terminate any running instances. The server component may be listed in a processes list as "BlackHole." Any unknown process either named "BlackHole" or with open file handles to files containing "BlackHole" in the path should be considered suspicious.
As this threat is still in its infancy--the samples seen so far even refer to themselves as "under development"—users are unlikely to encounter this threat in the wild, and thus the risk is exceptionally low.