DevilRobber Mac OS X Trojan horse spies on you, uses GPU for Bitcoin mining

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

GraphicConverterYesterday, users of Sophos’s security products (including our free anti-virus for Mac home users) had their protection automatically updated to protect against a new Mac OS X Trojan horse that has been distributed via torrent sites such as PirateBay.

Copies of the legitimate Mac OS X image editing app GraphicConverter version 7.4 were uploaded to file-sharing networks. However, they came with an unexpected addition.

Hidden inside the download was a copy of the OSX/Miner-D (also known as ‘DevilRobber’) Trojan horse.

If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish.

Sign up to our free newsletter.
Security news, advice, and tips.

BitcoinThat’s because OSX/Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time. GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.

Yes, this Mac malware is stealing computing time as well as data.

In addition to Bitcoin mining, OSX/Miner-D also spies on you by taking screen captures and stealing your usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history.

Curiously, the Trojan also hunts for any files that match “pthc”. It’s unclear whether this is intended to uncover child abuse material or not (the phrase “pthc” is sometimes used on the internet to refer to pre-teen hardcore pornography).

To complete the assault – if the malware finds the user’s Bitcoin wallet it will also steal that.

OSX/Miner-D

Of course, the producers of GraphicConverter have done nothing wrong themselves – they are victims of the criminals who are using their popular software as a trap to infect Mac users who download software from unofficial sources.

It’s possible that other apps have also been distributed via torrent sites infected by the malware, or that the cybercriminals will use other methods to distribute their Trojan horse.

Clearly, Mac users – like their Windows cousins – should practice safe computing and only download software from official websites and legitimate download services. But, in addition to that, it’s becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software.

There may be a lot less malware for Mac OS X than there is for Windows, but many Mac users are making themselves an unnecessarily soft target by imagining that they are somehow magically protected from threats.

There are a number of anti-virus products available for Mac, including Sophos’s free version for home users, so there’s really no excuse.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.