{
	"id": "6cc03d12-f2bd-4227-aca9-882cf2deed9d",
	"created_at": "2026-04-06T00:17:49.284076Z",
	"updated_at": "2026-04-10T03:21:02.414167Z",
	"deleted_at": null,
	"sha1_hash": "f5cd333e3df571e9fcb5b44ec99a494162c68a00",
	"title": "New Apple Mac Trojan Called OSX/Crisis Discovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 548767,
	"plain_text": "New Apple Mac Trojan Called OSX/Crisis Discovered\r\nBy Lysa Myers\r\nPublished: 2012-07-25 · Archived: 2026-04-05 13:42:25 UTC\r\nMalware + Recommended\r\nPosted on July 24th, 2012 by\r\nIntego has discovered a new Trojan called OSX/Crisis. This threat is a dropper which creates a backdoor when\r\nit’s run. It installs silently, without requiring a password, and works only in OSX versions 10.6 and 10.7 – Snow\r\nLeopard and Lion. Update: This threat may run on Leopard 10.5, but it has a tendency to crash. It does not run on\r\nthe new Mountain Lion 10.8.\r\nThe Trojan preserves itself against reboots (i.e. it establishes persistence), so it will continue to run until it’s\r\nremoved. Depending on whether or not the dropper runs on a user account with Admin permissions, it will install\r\ndifferent components. We have not yet seen if or how this threat is installed on a user’s system; it may be that an\r\ninstaller component will try to establish Admin permissions.\r\nIf the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. In either case, it\r\ncreates a number of files and folders to complete its tasks. It creates 17 files when it’s run with Admin\r\npermissions, 14 files when it’s run without. Many of these are randomly named, but there are some that are\r\nconsistent.\r\nWith or without Admin permissions, this folder is created in the infected user’s home directory:\r\n~/Library/ScriptingAdditions/appleHID/\r\nOnly with Admin permissions, this folder is created:\r\n/System/Library/Frameworks/Foundation.framework/XPCServices/\r\nThe backdoor component calls home to the IP address 176.58.100[.]37 every 5 minutes, awaiting instructions. The\r\nfile is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the\r\nfile. This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X\r\nmalware.\r\nIt uses low-level system calls to hide its activities, as shown in the following images:\r\nhttps://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?\r\nPage 1 of 4\n\nhttps://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?\r\nPage 2 of 4\n\nIntego found samples of this malware on the VirusTotal website, a site used by security companies to share\r\nmalware samples. This threat has not yet been found in the wild, and so far there is no indication that this Trojan\r\nhas infected users so right now the threat is considered to be a low risk (note: see updates below). Nonetheless,\r\nIntego VirusBarrier X6 detects and removes this malware using today’s definitions. It detects the dropper\r\ncomponent as OSX/Crisis, and the backdoor component as Backdoor:OSX/Crisis. It will also block connections\r\nwith the IP address the backdoor component seeks to connect with.\r\nIntego VirusBarrier X6 users should update as soon as possible to get protection from this threat.\r\nWe are still analyzing the threat at this time. We will post a more in-depth analysis as we have more details.\r\nUpdate: We have posted a deeper dive into OSX/Crisis, and details about how this OSX/Crisis variant was used\r\nin a targeted attack. We have also written several write-ups about later OSX/Crisis variants. You may also be\r\ninterested in our write-up of OSX/NetWeirdRC (aka NetWire), another commercial macOS remote access tool\r\n(RAT). See also our latest malware write-ups.\r\nHow can I learn more?\r\nhttps://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?\r\nPage 3 of 4\n\nEach week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple\r\nnews, including security and privacy stories, and offer practical advice on getting the most out of your Apple\r\ndevices. Be sure to follow the podcast to make sure you don’t miss any episodes.\r\nYou can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest\r\nApple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:  \r\n         \r\nSource: https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?\r\nhttps://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?"
	],
	"report_names": [
		"?"
	],
	"threat_actors": [],
	"ts_created_at": 1775434669,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f5cd333e3df571e9fcb5b44ec99a494162c68a00.pdf",
		"text": "https://archive.orkl.eu/f5cd333e3df571e9fcb5b44ec99a494162c68a00.txt",
		"img": "https://archive.orkl.eu/f5cd333e3df571e9fcb5b44ec99a494162c68a00.jpg"
	}
}