Backdoor:MacOS_X/DevilRobber.A is backdoor trojan which allows a remote attacker to steal information and perform Bitcoin mining activities.
Installation
Backdoor:MacOS_X/DevilRobber.A is installed on a target system by a script called "startup.sh". This script creates a folder named "mdsa1331" in the user's Library folder ("~/Library") and executes the backdoor with the name "mdsa".
Once executed, the backdoor drops a configuration file called "status.cfg" and attempts to remotely download and install other application or packages. It then initiates backdoor communication by running the MiniSSDPd socket, which handles SSDP traffic broadcasted via the multicast address 239.255.255.250 (or [FF02::C] in IPv6) on port 1900.
When the backdoor receives an SSDP M-SEARCH (discovery) request, it sends an HTTP response, which includes the network information of the UPnP device. In this case, the backdoor location is specifically mapped to connect on any of the following ports:
Payload
Steals information
Backdoor:MacOS_X/DevilRobber.A executes a shell script called "acab.sh". It runs an "mdfind" command and dumps information that matches the following strings into a file called "dump.txt":
The backdoor checks for a file called "abc.lck" in its installation folder in ~/Library/mdsa1331, and if it exists, it extracts the following information:
- Bash history
- Safari browsing history stored in ~/Library/Safari/History.plist
Steals Bitcoins
It checks and dumps the Bitcoin wallet information stored in ~/Library/Application Support/Bitcoin/wallet.dat. It silently captures the screen and stores the image as "2.png".
Mines Bitcoins
Backdoor:MacOS_X/DevilRobber.A has the following Bitcoin miner components:
- Diablo Miner
- miner.sh
- minerd
DiabloMiner is a Bitcoin miner that uses the Open Computing Language (OpenCL) framework to perform hashing computation. It takes advantage of heterogenous platform features, where a script called "miner.sh" installs "DiabloMiner-OSX.sh". It then executes a command-line based Bitcoin miner called "minerd" with a parameter that initiates the JSON-RPC server for control.
Acts as a proxy server
Backdoor:MacOS_X/DevilRobber.A also contains the following files:
- polipo - a web proxy tool
- polipo.cfg - a configuration file for polipo
Backdoor:MacOS_X/DevilRobber.A uses polipo to enable it act as a proxy server. It is configured to use TCP/UDP port 34522, and allow IPv4 addresses only.
Additional information
It runs the "uuencode" command to get Safari history, Bitcoin wallet information, and capture the desktop.
Analysis by Methusela Cebrian Ferrer
