OSX/HackBack-A

Category: Viruses and SpywareProtection available since:21 Apr 2012 02:14:00 (GMT)
Type: TrojanLast Updated:09 May 2014 11:57:25 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

OSX/HackBack-A is designed to take a list of file types, find all files matching those types on the host machine, compress them into a zip file stored in /tmp/ and upload them to a remote server.

OSX/HackBack-A also spawns a second process that sets up a persistent login item for the parent process (so that it will automatically run in the background every time the user logs in).

The ini file used for OSX/HackBack-A instructs it to upload all files from a predefined set of locations consisting of filetypes:
txt;doc;docx;eml;emlx;fdf;fdr;pdf;jpg;jpeg;xls;xlsx;fdx;idx;knt;kwd;log;lst;lwp;mbox;msg;mw;pages;wpr;tiff;ppt;pptx

OSX/HackBack-A attempts to start searching for files from /, and if this fails, starts from the location of a file called state.dat.  It also drops a number of log files, including Date.dat and Fail.dat.

Examples of OSX/HackBack-A include:

Example 1

File Information

Size
8.8K
SHA-1
193b58ac80bff22c9f2082891c3b645ce184084f
MD5
227b6bd28e15639d8f1a11686aba45c8
CRC-32
6ba63759
File type
Unspecified binary - probably data
First seen
2012-04-20

Example 2

File Information

Size
113K
SHA-1
1eedde872cc14492b2e6570229c0f9bc54b3f258
MD5
7505197b6b30d5800ffdc4427576780c
CRC-32
23075df4
File type
Apple Mac executable
First seen
2013-05-17

Example 3

File Information

Size
59K
SHA-1
40b03c7693d647db00404deea4d7bcf9a1b7fc50
MD5
2e5345da904bba1c116b818fc9d5ab8f
CRC-32
4dc26546
File type
Unspecified binary - probably data
First seen
2013-05-18