It is configured to use TCP/UDP port 34522, and allow IPv4 addresses only.
It silently captures the screen and stores the image as " 2.png".īackdoor:MacOS_X/DevilRobber.A has the following Bitcoin miner components:ĭiabloMiner is a Bitcoin miner that uses the Open Computing Language (OpenCL) framework to perform hashing computation. It checks and dumps the Bitcoin wallet information stored in ~/Library/Application Support/Bitcoin/wallet.dat. Safari browsing history stored in ~/Library/Safari/ist.The backdoor checks for a file called " abc.lck" in its installation folder in ~/Library/mdsa1331, and if it exists, it extracts the following information: It runs an " mdfind" command and dumps information that matches the following strings into a file called " dump.txt": In this case, the backdoor location is specifically mapped to connect on any of the following ports:īackdoor:MacOS_X/DevilRobber.A executes a shell script called " acab.sh". When the backdoor receives an SSDP M-SEARCH (discovery) request, it sends an HTTP response, which includes the network information of the UPnP device. It then initiates backdoor communication by running the MiniSSDPd socket, which handles SSDP traffic broadcasted via the multicast address 239.255.255.250 (or in IPv6) on port 1900.
Uninstall mcafee mac os x install#
Once executed, the backdoor drops a configuration file called " status.cfg" and attempts to remotely download and install other application or packages. This script creates a folder named " mdsa1331" in the user's Library folder (" ~/Library") and executes the backdoor with the name " mdsa". Installationīackdoor:MacOS_X/DevilRobber.A is installed on a target system by a script called " startup.sh". Backdoor:MacOS_X/DevilRobber.A is backdoor trojan which allows a remote attacker to steal information and perform Bitcoin mining activities.
0 kommentar(er)
