Yesterday, ESET announced the discovery of a new threat against the Apple Mac OS X platform. Today, we have found a new version of the same threat. The new version is similar to the previous version with two important differences. The first addition to this threat is that it now implements persistence on an infected system. It also has updated command and control information.
OSX/Tsunami.A adds an entry to LaunchDaemons, named
/System/Library/LaunchDaemons/com.apple.logind.plist. This entry starts an executable,
/usr/sbin/logind. The content of the LaunchDaemons entry is shown in the following screenshot.
Although the samples we have received come from two different countries on two different continents, our telemetry data still indicates that there are very few hosts infected with this malware.
It is our belief that the people behind this threat are in the process of testing their creation. They are probably adapting the code, originally written for Linux, to the OS X platform. We are still unaware of any specific infection vector for this threat. It can be installed manually by an attacker or in an automated way.
MD5 hash of the analyzed binary: 3eb0744d73178a3e7bd070c862cd2c69
Senior Malware Researcher
Author Pierre-Marc Bureau, ESET