SecureMac, Inc.

New Apple Mac Trojan Called OSX/CoinThief Discovered

February 9, 2014

Malware: OSX/CoinThief.A
Date Discovered: February 9th, 2014
Updated: February 13, 2014

Added: Feb 13th 2014: Wednesday evening, Apple updated XProtect to defend against the two known variants of OSX/CoinThief.

SecureMac has more information on how the CoinThief malware is initially installed on infected systems, with steps it takes to disguise its behavior:

The malware is taking the place of the main binary in the trojanized versions of Bitcoin Ticker TTM and Litecoin Ticker, and is set up to run as an agent with a setting for LSUIElement in the Info.plist file. This makes it so …

New Apple Mac Trojan Called OSX/CoinThief Discovered

Malware: OSX/CoinThief.A
Date Discovered: February 9th, 2014
Updated: February 13, 2014

Added: Feb 13th 2014: Wednesday evening, Apple updated XProtect to defend against the two known variants of OSX/CoinThief.

SecureMac has more information on how the CoinThief malware is initially installed on infected systems, with steps it takes to disguise its behavior:

The malware is taking the place of the main binary in the trojanized versions of Bitcoin Ticker TTM and Litecoin Ticker, and is set up to run as an agent with a setting for LSUIElement in the Info.plist file. This makes it so the app doesn’t appear in the Dock. A copy of the real Bitcoin Ticker TTM/Litecoin Ticker main binary is hidden in the app bundle. The first time a user runs the trojanized version of Bitcoin Ticker TTM or Litecoin Ticker, the invisible malware program is launched instead.

At that time, the malware program unpacks and installs its payload (the background process and web browser plugins), then moves the correct app binary for Bitcoin Ticker TTM/Litecoin Ticker back into place, and removes the LSUIElement entry from the app’s Info.plist file. It then launches the original Bitcoin Ticker TTM/Litecoin Ticker app, which is now back in the correct path for the app bundle, and the user is none the wiser that a piece of malware just installed itself on their system.

Added Feb 11th 2014: CoinThief Trojan Horse Removal Instructions

SecureMac has discovered that variants of OSX/CoinThief are being actively distributed through CNET’s Download.com, and were also being distributed through MacUpdate.com, exposing hundreds of Mac users to malware.

These variants of OSX/CoinThief contain similar functionality to previously known copies, but also include a browser extension for Firefox, which was not present in the earlier variants.

The malware is being distributed disguised as price tickers for Bitcoin and Litecoin (another type of cryptocurrency), which have been available on download.com since early December. According to the download stats, the malware has been downloaded 57 times.

The two variants seen by SecureMac share the same name and developer information as two apps found in Apple’s Mac App Store. At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from download.com.

The malware is being distributed as “Bitcoin Ticker TTM for Mac” and “Litecoin Ticker.”

The same apps were being distributed on MacUpdate.com, also since early December, but the download links are currently not working since they point at the inactive OSX/CoinThief server. According to the MacUpdate download stats, the malware was downloaded 365 times.

At this time it is unknown if there are other variants of OSX/CoinThief being distributed on CNET’s Download.com or MacUpdate.com under different names, or if other download sites are hosting the malware.

Analysis of this variant of OSX/CoinThief is ongoing, and further details will be provided as they become available.

SecureMac has discovered a new Trojan Horse called OSX/CoinThief.A, which targets Mac OS X and spies on web traffic to steal Bitcoins. This malware has been found in the wild, and there are multiple user reports of stolen Bitcoins. The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for Bitcoin wallets.

Initial infection occurs when a user installs and runs an app called “StealthBit,” which was recently available for download on GitHub, a website that acts as a repository for open source code. The source code to StealthBit was originally posted on GitHub, along with a precompiled copy of the app for download. The precompiled version of StealthBit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of StealthBit instead ended up with infected systems. A user posting over the weekend on Reddit, the popular discussion site, reported losing 20 Bitcoins (currently worth upwards of $12,000 USD) to the thieves.

Disguised as an app to send and receive payments on Bitcoin Stealth Addresses, OSX/CoinThief.A instead acts as a dropper and installs browser extensions that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites, including MtGox and BTC-e, as well as Bitcoin wallet sites like blockchain.info. When login credentials are identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors.

Upon running the program for the first time, the malware installs browser extensions for Safari and the Google Chrome web browser, without alerting the user. The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions. Additionally, the malware installs a program that continually runs in the background, looking for Bitcoin wallet login credentials, which are then sent back to a remote server. OSX/CoinThief.A can both send information to as well as receive commands from a remote server, including a functionality to update itself to newer versions from the malware author.

Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system.

Some steps were taken by the malware author to disguise the inner workings of OSX/CoinThief.A from casual analysis. The browser extensions were given the generic name of “Pop-Up Blocker” and show a similarly generic description of “Blocks pop-up windows and other annoyances.” The malware additionally checks to see if various security programs or code development tools are present on an infected system, which is sometimes done in an attempt to block security researchers from analyzing a piece of malware.

This is a developing story, and we will update this page as more information becomes available.

About SecureMac – SecureMac has been at the forefront of Apple system security offering news, advisories and reviews for all security relating to Apple and Macintosh systems since 1999. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience secure and trouble free. SecureMac is also the creators of award winning security and privacy software MacScan and PrivacyScan protecting Mac OS X users against threats.

Get the latest security news and deals