Bitcoin OSX
Backdoor:OSX/DevilRobber.A silently installs applications related to Bitcoin-mining; it may also harvest data from the infected machine and listen for additional commands from a remote user.
Disinfection & Removal
Manual Removal Instructions
The following instructions apply to the original version of DevilRobber:
- 1. Delete this folder and all its contents: ~/Library/mdsa1331
- 2. Delete this file: ~/Library/LaunchAgents/com.apple.legion.plist
The following instructions apply to the updated version of DevilRobber (DevilRobberV3):
- Delete the folder and all its contents: ~/Library/Pixel_mator
- Delete this file: ~/Library/LaunchAgents/com.apple.pixel.plist
Note: For both versions, subsequently continuing to use the bundled software will reinstall the malware.
Technical Details
The components of this malware are bundled together with (pirated) legitimate programs. At time of writing, these programs were being offered on the popular torrent-hosting website, The Pirate Bay.
An updated version of DevilRobber has been discovered, with minor changes in its distribution and operation. This version was discussed in a Labs Weblog post.
Unlike the original version, the updated one identified as DevilRobberV3 is distributed using the file name PixelMator; in addition, the distributed file does not itself contain the backdoor component, but on installation must download the actual backdoor installer package from a remote FTP server.
On execution, DevilRobberV3 will first drop the file, d_status.cfg, in the same directory where it was executed, then download the installer from the remote server and save it as binary.zip. The contents of the package are then extracted and executed.
In addition to the changed distribution method, DevilRobberV3 has the following changes in its information harvesting script:
- It no longer captures a screenshot
- It no longer checks for the existence of LittleSnitch (a firewall application)
- It uses a different launch point name
- It harvests the shell command history
- It harvests 1Password contents (a password manager from AgileBits)
- It now also harvests the system log file
The malware's routine of attempting to steal Bitcoin wallet contents remains unchanged.
Execution
Upon execution of the bundled software, the malware first checks if the following file is found in the system:
- /System/Library/Extensions/LittleSnitch.kext
Little Snitch is a Mac OS X firewall program; if this is found, the malware will skip installation and proceed to execute the clean software as is.