OSX/CoinThief Manual Identification and Removal Instructions

OSX/CoinThief Manual Identification and Removal Instructions

Updated: February 12, 2014

OSX/CoinThief has been distributed under four different names so far: BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker.

BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. Both app names appear to have been taken from legitimate apps in the Mac App Store. The malicious payload was not found in Mac App Store copies of these apps.

When run, the malware installs a browser extension in Chrome, Safari, and Firefox, which will appear in those apps as "Pop-Up …

February 9, 2014 • 4 min read
New Apple Mac Trojan Called OSX/CoinThief Discovered

New Apple Mac Trojan Called OSX/CoinThief Discovered

Malware: OSX/CoinThief.A
Date Discovered: February 9th, 2014
Updated: February 13, 2014

Added: Feb 13th 2014: Wednesday evening, Apple updated XProtect to defend against the two known variants of OSX/CoinThief.

SecureMac has more information on how the CoinThief malware is initially installed on infected systems, with steps it takes to disguise its behavior:

The malware is taking the place of the main binary in the trojanized versions of Bitcoin Ticker TTM and Litecoin Ticker, and is set up to run as an agent with a setting for LSUIElement in the Info.plist file. This makes it so …

February 9, 2014 • 6 min read
Flashback Trojan Security Fix Update Released by Java

Flashback Trojan Security Fix Update Released by Java

From Doctor Web, the Russian anti-virus vendor—”conducted a research to determine the scale of spreading of Trojan BackDoor.Flashback that infects computers running Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.”

April 4, 2012 • 1 min read
New Malware Security Bulletin

New Malware Security Bulletin

SecureMac has learned of a new piece of Mac malware that is currently in the wild and infecting computers running OS X. As first reported at http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ this piece of malware exploits a vulnerability in computers running older, unpatched versions of Java.

March 20, 2012 • 2 min read
BlackHole RAT 2 Trojan Horse for Mac OS X Discovered

BlackHole RAT 2 Trojan Horse for Mac OS X Discovered

As predicted by the SecureMac team, the new version of BlackHole RAT 2 was officially released on a hacker message board this weekend, with some slight differences from the earlier version analyzed by SecureMac. The trojan horse, once installed, disguises itself as a Java Updater. In addition, the author is now referring to the trojan as Freeze RAT, but it contains much of the same code as BlackHole Rat 2.0a. The new version has a more complicated installation process that requires physical access to the computer, so SecureMac continues to rate this as a low threat.

April 3, 2011 • 3 min read
BlackHole RAT

BlackHole RAT

The SecureMac team announced today that a new version of the BlackHole RAT 2.0 Trojan Horse for Mac OS X has been discovered. This new version should be not confused with an older variant from back in February already detected by SecureMac and other anti-malware software.

February 25, 2011 • 4 min read
Initial Analysis of trojan.osx.boonana.a

Initial Analysis of trojan.osx.boonana.a

The initial infection vector of the Boonana trojan is through a message on social networking sites similar to “Is this you in this video?” which includes a link to an external site. Upon clicking the link, a java applet will attempt to load in the user’s web browser.

The web browser will then prompt the user to allow content signed by an untrusted certificate to run.

When the user accepts the certificate, the applet loads.

Once the applet is loaded, it displays a fake YouTube interface to simulate a “video” by displaying a …

October 28, 2010 • 3 min read
Trojan Horse Alert: HellRaiser (aka OSX/HellRTS.D)

Trojan Horse Alert: HellRaiser (aka OSX/HellRTS.D)

Trojan Horse Alert: Intego recently alerted users to the presence of a new variant of the HellRaiser Trojan Horse, which they identify as OSX/HellRTS.D. SecureMac has analyzed this new variant and it is detected in the latest MacScan spyware definitions update (Spyware Definitions Version 2010006) as HellRaiser Trojan Horse 4.2. MacScan has detected previous variants of this trojan horse since 2005.

HellRaiser is a trojan horse that allows complete control of a computer by a remote attacker, giving the attacker the ability to transfer files to and from the infected computer, pop up chat messages on the infected system, display pictures, speak messages, and even remotely restart or shut down the infected machine.

The attacker can search through the files on the infected computer, choosing exactly what they want to steal, view the contents of the clipboard, or even watch the user’s actions on the infected computer.

In order to become infected, a user must run the server component of the trojan horse, which can be disguised as an innocent file. The attacker then uses the client component of the trojan horse to take control of the infected system.

Read more about HellRaiser Trojan Horse aka OSX/HellRTS.D

April 16, 2010 • 2 min read
OSX/Jahlav-C = DNSChanger Trojan Horse

OSX/Jahlav-C = DNSChanger Trojan Horse

DNSChanger Trojan Horse (aka RSPlug Trojan) is running wild lately with multiple variants surfacing rapidly and being distributed through more mainstream sites including gamer and technical download sites as well as pornographic and search engine optimized pages resulting in high rankings in search results.

Learn more about the symptoms of DNSChanger Trojan Horse infected computers or scan your computer for spyware with MacScan or remove DNSChanger Trojan Horse (RSPlug) with DNSChanger Trojan Horse Removal Tool for free.

June 26, 2009 • 3 min read
OSX/Jahlav-C is a variant of DNSChanger Trojan Horse

OSX/Jahlav-C is a variant of DNSChanger Trojan Horse

The trojan horse OSX/Jahlav-C recently reported in the news is in fact a variant of the already discovered DNSChanger Trojan Horse. Other variant and aliases include OSX.RSPlug, OSX/Puper and OSX/Jahlav.

This variant is already detected by SecureMac’s Anti-Spyware product MacScan as well as the free DNSChanger Trojan Horse Removal Tool. Learn more information on avoiding DNSChanger Trojan Horse and removal tips.

June 12, 2009 • 1 min read
Apple Acknowledges Malware

Apple Acknowledges Malware

Apple has finally acknowledged that spyware and viruses are a threat for Mac OS X, as well as the latest operating system in the works, Snow Leopard. Snow Leopard will be adding new technology to help prevent against attacks such as sandboxing and anti-phishing features in Safari. This, however, is not a 100% solution to protect against malware.

June 10, 2009 • 3 min read
DNS Changer 2.0e Trojan Horse

DNS Changer 2.0e Trojan Horse

SecureMac Advisory

Posted: March 17th, 2009

Security Risk: Critical

Just after the DNSChanger 2.0d variant was identified, another new variant of the DNSChanger Trojan Horse, DNSChanger 2.0e, has been discovered in the wild. The trojan horse arrives in a disk image (some samples are called serial_Avid.Xpress.Pro.5.7.2.dmg), and is again disguised as an installer for “MacCinema,” just like the 2.0d variant. Once installed, the trojan horse behaves in a similar manner to past variants.

This variant is being distributed on websites offering “cracked” or pirated copies of software, and is initially disguised as a serial …

March 2, 2009 • 3 min read
Intego Reports Malware in Pirated Copies of Photoshop CS 4

Intego Reports Malware in Pirated Copies of Photoshop CS 4

Pirated copies of Photoshop CS 4 has been reported by Intego to contain malware. On January 16th Photoshop CS 4 containing the malware was seeded to peer-2-peer servers. This trojan have been labeled as OSX.Trojan.iServices.B, the second variant of the trojan, the first discovered in iWork 09 pirated software. It is recommended not to download these files. Like its predecessor this variant obtains root privileges, and notifies the remote host of the infected computers location on the Internet.

January 26, 2009 • 1 min read
Security Alert: Trojan found in Pirated copies of Apple’s iWorks 09

Security Alert: Trojan found in Pirated copies of Apple’s iWorks 09

Security Alert: A trojan is being distributed with pirated copies of Apple’s iWorks 09.

Pirated copies of iWorks 09 are being distributed with a trojan bundled in the installer package. Intego has released a warning recommending that users should not download iWorks 09 from pirate software sites.

The malicious software is installed in the startup items folders ( /System/Library/StartupItems/iWorkServices ) where it has full root privilege rights. Once installed the trojan connects to a remote server notifying it of the infected computers location on the net awaiting further instruction including the ability …

January 22, 2009 • 1 min read