OSX/CoinThief trojan: Manual identification and removal instructions

“OSX/CoinThief has been distributed under four different names so far: BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker,” SecureMac reports. “BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. Both app names appear to have been taken from legitimate apps in the Mac App Store. The malicious payload was not found in Mac App Store copies of these apps.”

“When run, the malware installs a browser extension in Chrome, Safari, and Firefox, which will appear in those apps as “Pop-Up Blocker 1.0.0” with the description “Blocks pop-up windows and other annoyances.” There are some indications that this name and description were also taken from a legitimate browser extension. The browser extensions watch your web traffic, looking for specific headers for bitcoin-related websites. They communicate with the background process, which will periodically connect to a remote server (currently offline) to exfiltrate login credentials,” SecureMac reports. “The background process is set to be constantly running via a launchd task. Additionally, the background process will check for the presence of Bitcoin-Qt, and appears to be modifying components of Bitcoin-Qt, possibly with the intent of leaking private keys.”

Manual identification and removal instructions in the full article here.

Related article:
New Bitcoin-stealing trojan, ‘OSX/CoinThief.A,’ targets OS X users – February 10, 2014
Russian authorities say Bitcoin illegal – February 10, 2014
Enraged Bitcoin true believers shoot, smash iPhones after Apple yanks Bitcoin app from App Store – February 6, 2014
Apple pulls ‘Blockchain’ Bitcoin app from iTunes App Store – February 6, 2014
Apple App Store’s rocky relationship with Bitcoin apps – December 10, 2013

9 Comments

  1. Another fine reason to have our personal computers and personal devices doing things ‘constantly in the background’ and ‘periodically’ without our knowledge. Thank you Apple.

    1. Apple has protections in place, if you choose to use them. Did you read where it said “The malicious payload was not found in Mac App Store copies of these apps.” You obviously didn’t understand what that meant, and you’re probably the type of idiot that will download and install any piece of shit software that pops up and tells you to. There’s a very good reason osx is practically virus free. Dumbass.

    2. And your computer and devices would not work very well at all without background processes. Then someone like you would be whining about how your calendar was never updated when you switched to it, or your email didn’t get downloaded, or you had to wait for your document to print before you could do something else.

  2. LittleSnitch, LittleSnitch, LittleSnitch. When apps are “calling out,” I like to know where (even if the reasons are benign) which is why LittleSnitch is such an awesome app.

    It tells you which apps require outside access, and allows you to grant it to them on either a temporary or permanent basis.

    The apps you’re familiar with, allow them to do their thing. Those that you are not, you can grant them temporary permission or revoke it entirely. So if, hypothetically speaking, this “OSX/CoinThief” were operating on my machine, LittleSnitch would detect its activity, and I could block it from calling out, effectively neutralizing it, even if it were on my machine.

    And once blocked, I could then track it down, and remove it at my leisure.

    A most necessary app to have your tool chest.

    1. I agree a thousand percent. I have Little Snitch and swear by it. It just quietly stays out of the way using zero-percent of your computer’s processor cycles; that is until it detects outgoing traffic that’s *Something New*, then it kicks into action and tattles, asking you if you want to approve just this once, until shutdown, forever, or never. I can’t recommend it more.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.