Backdoor:MacOS_X/DevilRobber.A is backdoor trojan which allows a remote attacker to steal information and perform Bitcoin mining activities.
Backdoor:MacOS_X/DevilRobber.A is installed on a target system by a script called "startup.sh". This script creates a folder named "mdsa1331" in the user's Library folder ("~/Library") and executes the backdoor with the name "mdsa".
Once executed, the backdoor drops a configuration file called "status.cfg" and attempts to remotely download and install other application or packages. It then initiates backdoor communication by running the MiniSSDPd socket, which handles SSDP traffic broadcasted via the multicast address 22.214.171.124 (or [FF02::C] in IPv6) on port 1900.
When the backdoor receives an SSDP M-SEARCH (discovery) request, it sends an HTTP response, which includes the network information of the UPnP device. In this case, the backdoor location is specifically mapped to connect on any of the following ports:
Backdoor:MacOS_X/DevilRobber.A executes a shell script called "acab.sh". It runs an "mdfind" command and dumps information that matches the following strings into a file called "dump.txt":
The backdoor checks for a file called "abc.lck" in its installation folder in ~/Library/mdsa1331, and if it exists, it extracts the following information:
Safari browsing history stored in ~/Library/Safari/History.plist
It checks and dumps the Bitcoin wallet information stored in ~/Library/Application Support/Bitcoin/wallet.dat. It silently captures the screen and stores the image as "2.png".
Backdoor:MacOS_X/DevilRobber.A has the following Bitcoin miner components:
DiabloMiner is a Bitcoin miner that uses the Open Computing Language (OpenCL) framework to perform hashing computation. It takes advantage of heterogenous platform features, where a script called "miner.sh" installs "DiabloMiner-OSX.sh". It then executes a command-line based Bitcoin miner called "minerd" with a parameter that initiates the JSON-RPC server for control.
Acts as a proxy server
Backdoor:MacOS_X/DevilRobber.A also contains the following files:
- a web proxy tool
- a configuration file for polipo
Backdoor:MacOS_X/DevilRobber.A uses polipo to enable it act as a proxy server. It is configured to use TCP/UDP port 34522, and allow IPv4 addresses only.
It runs the "uuencode" command to get Safari history, Bitcoin wallet information, and capture the desktop.
Analysis by Methusela Cebrian Ferrer