This malware was found within a copy of the iWork suit on BiTorrent. The iWork application suit had the malicious package “iWorkServices.pkg” added to it. The installation of the malwares starts automatically when installing iWork.

Source: Intego


The installer asks for administrator password and the malware adds itself to the startup folder /System/Libarary/StartupItems/iWorkSrvices. The malware then contacts its C&C and waits for additional commands.The remote attacker is able to execute different commands on the infected machine such as httpget, shell, rshell and more.


Links:


Samples:
6807d7e2134b8084fc00b17c616045aab575fd84