OSX_JAHLAV.D Trojan Disguised as MacCinema Installer

A recent discovery of a DNS-Changing Trojan called OSX_JAHLAV.D is being disguised as a MacCinema Installer.

Mac users are being warned of a new QuickTime Player update by the file name of QuickTimeUpdate.dmg that installs malware onto a Mac system. Currently the threat is detected as OSX_JAHLAV.D by some security applications. OSX_JAHLAV.D was discovered to be a DNS changer that could redirect an infected system to malicious or undesired websites. Many of the websites that Mac users infected with this Trojan may be redirected to will lead to other malware infections or phishing scams.

The MacCinema installer is the known culprit of this infection. This is also similar to the issue that plagued many PC's via a fake Adobe Flash Player download. The typical scenario that leads to such infections happens when a computer user is prompted with the opportunity to watch a video from a malicious source but must download an update to their Flash Player, or in a Mac user's case a QuickTime update, in order to view the video. Once the fake updater or installation file is downloaded it can then infect the system with a dangerous Trojan. Even though Mac OS malware is uncommon, hackers still exploit those systems.

Mac users infected with the OSX_JAHLAV.D Trojan may be redirected to several different domains from the IP address 91.214.45.73 (do not visit) identified as the following .com's:

allincorx

bigdron

cikaredo

civilizxx

comeandtryx

deribrowns

draxxtermania

givendream

hitrowzone

jumborad

ltdkeeper

operationelx

oxxadox

paxxtiger

rednetx

rstdeals

simplexdoom

sinisteer

tdenuwas

tniredrum

ufapeace

[source: Trend Micro]

Mac users are highly advised to stay clear of the above domains and avoid clicking on unsuspecting links that you are not sure of.