The updated version uses the same technique as its predecessor to disguise itself as a legitimate application, though this time it calls itself PixelMator.
Based on the malware's dump.txt file, this latest backdoor is identified as Version 3 (v3).
The main point of difference in DevilRobberV3 is that it has a different distribution method — the "traditional" downloader method.
The DevilRobberV3 sample that we analyzed (1c49632744b19d581af3d8e86dabe9de12924d3c) is an FTP downloader that will download its backdoor installer package from an FTP Server service provider.
To retrieve its installer, the malware generates 3 FTP URLs with hard-coded usernames and passwords, which are encoded in the program itself. The package is named "bin.cop" and is stored in the root folder on the FTP server.
In addition to the changed distribution method, DevilRobberV3 has the following changes in its information harvesting script:
• It no longer captures a screenshot • It no longer checks for the existence of LittleSnitch (a firewall application) • It uses a different launch point name • It harvests the shell command history • It harvests 1Password contents (a password manager from AgileBits) • It now also harvests the system log file
It still attempts to obtain Bitcoin wallet contents though.
