Malware, Network Security, Vulnerability Management

“DevilRobber” trojan targets Mac OS X for Bitcoins

A new Mac OS X trojan being distributed on torrent sites like Paratypic aims to steal Bitcoin virtual currency, security researchers are warning.

The malware, called DevilRobber, is bundled inside several Mac applications made available by attackers on file-sharing networks, including a Mac OS X image editing app called GraphicConverter version 7.4, Graham Cluley, senior technology consultant at anti-virus (AV) firm Sophos, said in a blog post Saturday. Once on a machine, the malware attempts to steal a user's Bitcoin digital wallet.

Bitcoins, created in 2009, are a form of virtual currency that can be transferred anonymously from person to person online without going through a bank. They are accepted today by some online merchants and can be traded for actual dollars at online currency exchanges, such as Mtgox.com.

DevilRobber also uses infected Macs to perform “Bitcoin mining,” a way of earning the virtual currency by using a machine's computational power and open-source software to solve cryptographic problems. Too, the malware attempts to steal usernames and passwords and spy on users by taking screen shots, Cluley said.

The trojan is not particularly widespread at the moment, as it has only been seen in a handful of Mac apps on torrent sites, researchers at security firm Intego said in a blog post Friday. Overall, the malware is complex and performs several different operations.

“It is a combination of several types of malware: It is a trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command-and-control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is spyware, as it sends personal data to remote servers,” Intego researchers wrote.

When the malware-laden program is launched, a script looks for a network traffic blocker, called LittleSnitch. If LittleSnitch is found on the machine, the program terminates.

In June, a trojan identified as Infostealer.Coinbit was propagating in the wild and targeting Bitcoin digital wallets installed on Windows computers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.