Mac OS X Trojan Goes Bitcoin Mining, Steals Files

A new Trojan targeting Mac OS X users is not only after data, but Bitcoins as well.

A new Trojan targeting Mac OS X users is not only after data, but Bitcoins as well.

The malware is being detected by Sophos as Miner-D, but is also known as DevilRobber. According to Sophos, the Trojan is hiding inside pirated versions of the Mac OS X image editing application GraphicConverter version 7.4, and is being actively distributed on file-sharing networks and torrent sites like Pirate Bay. Once on the system, the Trojan creates a backdoor for remote access and installs a Bitcoin miner that uses up any spare CPU or GPU (Graphics Processing Unit) cycles.

“If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish,” Graham Cluley, senior technology consultant at Sophos, wrote in a blog post. “That’s because OSX/Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU…time. GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.”

This is far from the first time malware involved in Bitcoin mining has been spotted in the wild. In September, researchers at Trend Micro spotlighted BKDR_BTMINE.MNR targeting Windows users, and in August, Symantec reported detecting the Badminer Trojan targeting Windows as well.

In the case of Miner-D, the malware also collects system information such as shell and browser history and scans for any potentially private files, including on mounted encrypted volumes, according to Sophos. The Trojan also hunts for any files that match “pthc”, which is an expression used on the Internet sometimes to denote “preteen hardcore” pornography – though it is unclear whether this is intended to uncover child abuse material or not, Cluley blogged.

“To complete the assault – if the malware finds the user’s Bitcoin wallet it will also steal that,” he added. “Of course, the producers of GraphicConverter have done nothing wrong themselves – they are victims of the criminals who are using their popular software as a trap to infect Mac users who download software from unofficial sources.”

Security firm Intego also published an analysis of the malware, which they refer to as DevilRobber, on their blog. According to Intego, the malware has also been spotted in a small number of other Mac applications besides GraphicConverter, though the firm did not specify which ones. The vendor noted however that the applications are being distributed via BitTorrent trackers, and advised Mac users to only download applications from trusted sites. 

Suggested articles