This malware was found within a copy of the iWork suit on BiTorrent. The iWork application suit had the malicious package “iWorkServices.pkg” added to it. The installation of the malwares starts automatically when installing iWork.
The installer asks for administrator password and the malware adds itself to the startup folder /System/Libarary/StartupItems/iWorkSrvices. The malware then contacts its C&C and waits for additional commands.The remote attacker is able to execute different commands on the infected machine such as httpget, shell, rshell and more.