Another week, another Mac OS X Trojan spotted.
Both Sophos and Intego have detected a Bitcoin-mining Trojan that also opens a backdoor into the infected system and steals Bitcoins from the user’s wallet file and information such as login credentials, browsing histories and data regarding the use of Truecrypt software and TOR.
The Trojan – dubbed “DevilRobber” – is currently being spread via BitTorrent trackers and is bundled up with popular Mac software such as the GraphicConverter application and others.
One indication that the malware has found its way on a computer is that its performance slows down due to the Trojan’s misuse of GPU cycles for creating Bitcoins.
Interestingly enough, users that use the Little Snitch network traffic blocker are safe even if they don’t use any AV software. According to Intego, once the doctored application is launched, a script looks for that particular software and if it is found, the program terminates.
If there is not Little Snitch on the targeted computer, the Trojan will drop a file to ensure that the it launches every time the computer is rebooted or a user logs in.
While using the computer to mine for Bitcoins, the malware also searches for information that can be of use to the criminals operating the servers to which it is sent. Among this information are the user’s Safari browser history, the history of commands run in the Terminal, various usernames and passwords, and even child abuse images.
While it is very likely that the criminals will try to use other methods to distribute the Trojan, for the time being users are advised to refrain from downloading software from illegitimate download services.