Anyone have a clue on the attack vector? A reddit post said that the presence of the "/Library/Application Support/JavaW" indicates an infected system. Flash? Java?

Perhaps some kind of pirated Minecraft client is the vector? Java is needed, mods to that area are probably ignored, and the malware is connecting to a Reddit Minecraft forum which is something that is almost certainly not blocked by the victim if they're a player/fan.

http://news.drweb.com/show/?i=5977&c=5&lng=en&p=0 - Analysis

can someone explain why does the infected machine have to connect to Reddit to read the list of IP addresses?

I know a lot of malware checks google.com to see if they are connected to the internet, as it is usually a site that is up and not blocked. Haven't looked into it yet to see if this is the case as well