NEWS FROM THE LAB - Wednesday, November 16, 2011

DevilRobber Gets An Updated Version Posted by ThreatSolutions @ 10:39 GMT

We found an updated version of Backdoor:OSX/DevilRobber, which we posted about earlier.

The updated version uses the same technique as its predecessor to disguise itself as a legitimate application, though this time it calls itself PixelMator.


Based on the malware's dump.txt file, this latest backdoor is identified as Version 3 (v3).

DevilRobber v3

The main point of difference in DevilRobberV3 is that it has a different distribution method — the "traditional" downloader method.

The DevilRobberV3 sample that we analyzed (1c49632744b19d581af3d8e86dabe9de12924d3c) is an FTP downloader that will download its backdoor installer package from an FTP Server service provider.

To retrieve its installer, the malware generates 3 FTP URLs with hard-coded usernames and passwords, which are encoded in the program itself. The package is named "bin.cop" and is stored in the root folder on the FTP server.

DevilRobberV3 downloader

In addition to the changed distribution method, DevilRobberV3 has the following changes in its information harvesting script:

  •  It no longer captures a screenshot
  •  It no longer checks for the existence of LittleSnitch (a firewall application)
  •  It uses a different launch point name
  •  It harvests the shell command history
  •  It harvests 1Password contents (a password manager from AgileBits)
  •  It now also harvests the system log file

It still attempts to obtain Bitcoin wallet contents though.

Threat Solutions post by — Wayne