OSX/MusMinim-A is a Remote Access Trojan (RAT) for the OSX platform, which is also known as “BlackHole RAT”. SophosLabs analyzed the sample it received and determined that it is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet.
So far, the trojan’s unknown author describes it as a “beta” version, whose functionality could be improved over time. OSX/MusMinim-A’s main threat component is a backdoor, which acts as the server half of a client-server pair of applications, the company said.
Sophos, which discovered the BlackHole RAT Trojan, claims that it can remove it (whew!) with its Sophos Anti-Virus product for the Macintosh, which it distributes for free (Yey! Free!). The most common way that your mac may be infected, according to Sophos, is by downloading the trojan as part of pirated software.
According to a Sophos blog post authored by Chester Wisniewski, the Trojan’s basic functionality includes:
- Placing text files on the desktop
- Sending a restart, shutdown or sleep command
- Running arbitrary shell commands
- Placing a full screen window with a message that only allows you to click reboot
- Sending URLs to the client to open a website
- Popping up a fake “Administrator Password” window to phish the target
In its present form, a message will also pop up next to the reboot command: “I am a Trojan Horse, so i have infected your Mac Computer,” it says. “I know, most people think Macs can’t be infected, but look, you ARE Infected! I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it. So, Im a very new Virus, under Development, so there will be much more functions when im finished.”