New Mac Malware Variants Found in Trojaned Apps Are Stealing Data

Author: Dennis Fisher
minute read

Researchers have discovered a series of variants of the DevilRobber Mac OS X Trojan that have a menu of different capabilities, depending upon the strain, and can not only mine Bitcoins using the infected machine’s processing power, but also steals files, installs a Web proxy and may steal the user’s Safari browsing history.

Mac trojanResearchers have discovered a series of variants of the DevilRobber Mac OS X Trojan that have a menu of different capabilities, depending upon the strain, and can not only mine Bitcoins using the infected machine’s processing power, but also steals files, installs a Web proxy and may steal the user’s Safari browsing history.

The new variants of DevilRobber, which has been making the rounds recently, appear to each have a different set of capabilities because they may have each been built for specific jobs, according to an analysis of the malware by researchers at F-Secure. Some of the variants appear to be looking for specific pornographic files on infected Macs and steals passwords from the machine in order to access any files that may be protected. All of the variants of DevilRobber have the ability to take data from the machine and upload it to a remote server.

The new variants were discovered in Mac applications that had been Trojaned and then shared on Pirate Bay.

The specific port used by the web proxy depends on the variant. The specific FTP server for data stealing also varies between samples. And DevilRobber’s data stealing routine is repeated on a fixed interval — every 43200, 60000, or 100000 seconds, depending on the sample,” F-Secure says in its analysis.

Mac malware has been making some headlines in the last few months, as attackers have begun applying to OS X some of the tactics they’ve been using on Windows for decades. In September, a Trojan called Imuler was found packed inside malicious PDFs, a trick that attackers have been using to get their malware into the hands of users for years now. And earlier in the year the MacDefender malware made a big splash as the first Mac-specific rogue antivirus program to emerge.

Apple is beginning to take some steps to address the threats facing its users, including the announcement this week that all apps submitted to the Mac App Store will have to have a sandbox by March 2012.

This post has been edited to clarify the nature of the apps containing the malware.

Suggested articles

Discussion

  • drStrangep0rk on

    Check statement --

    "The new variants were discovered in legitimate Mac applications that had been Trojaned and then shared on Pirate Bay."

    Please check this sentence, you may be liable due to the term "legitimate Mac applications." 
     
    The applications are pirated and as such are criminized, thus stating that they are or ever were "legitimate"  is extremely miss-leading and ambiguous. All versions of the applications in the MAC APP store are digitially signed and are legitimate. Applications on pirate bay are not by definition and as such should not be stated as "legitimate." You cannot make a claim that the applications were in fact "legitimate" at any point unless Kaspersky is the holder of this knowledge and is activily sharing in with US law enforcement officals and affected software vendors. This sentence will do damage to the legitimate developers of the pirated applications, which is clearly not your intent. Kaspersky as a software company clearly understands the cost pirated software represents to the software industry and the importance of clear statements of facts when it comes to the legitimacy and safty of other rights holders products.
     
    This is the suggested correction for review which will ensure no ambiguity. 
     

    "The new Trojan variants were discovered in crimilized software found on Pirate Bay. The legitimate Mac Applications  are digitally signed and remain safe in the Mac App store."

    The sentence is extremely misleading and may represent liability. This article is being listed as a source for other news organizations.

    Correction Two

    "In September, a Trojan called Imulerwas found packed inside malicious PDFs, a trick that attackers have been using to get their malware into the hands of users for years now."

    Lumler Trojan was never packed inside a malicious PDF, it was infact an installer. This is completely a false statement and extrmemly poor analysis missing key facts. It was never in a PDF and never could you change the extension on a MAC file to get it execute in a particular way.

    Correction Notice

    This post represents a request for correction in a article posted on a site ran by Kaspersky. In good faith Kaspersky has been contacted to review the stated above sentence for accuracy and/or legal mis-representations. Kaspersky as stated in the TOS is the sole holder of the rights to this article and as such now are the sole holder of the rights to this post and request for correction review. 

    Thank You

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.

Subscribe now

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.