Search This Blog

A Mac Trojan "DevilRobber" Upgraded to v3 and masquerades as PixelMator

DevilRobber(Backdoor:OSX/DevilRobber) is the Latest Malware that targets Mac OS X users, it is now upgraded and masquerades as PixelMator . Based on the malware's dump.txt file, this latest backdoor is identified as Version 3 (v3).

"The main point of difference in DevilRobberV3 is that it has a different distribution method — the 'traditional' downloader method." F-Secure Researchers says. 

The previous of Version of this Trojan masquerades as some other legitimate Mac Application, this time PixelMator Application.

Previously this Trojan log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet.  Also they performed the following;
  •  Opens a port where it listens for commands from a remote user.
  •  Installs a web proxy which can be used by remote users as a staging point for other attacks.
  • •Steals information from the infected machine and uploads the details to an FTP server for later retrieval.

Changelog for this Upgraded Trojan (This is first time we are posting changelog for a virus).
  • It no longer captures a screenshot
  • It no longer checks for the existence of LittleSnitch (a firewall application)
  • It uses a different launch point name
  • It harvests the shell command history
  • It harvests 1Password contents (a password manager from AgileBits)
  • It now also harvests the system log file

Unfortunately, It still attempts to steal Bitcoin wallet contents though.
Share it:

Mac OS X Hacks

Malware Report

Trojan Attacks