OSX/CoinThief is being distributed via torrent websites

Feb 26, 2014 10:28 GMT  ·  By

OSX/CoinThief, the malware designed to steal Bitcoins from Mac users, continues to be distributed by cybercriminals. Experts say that the threat is disguised as various applications, including the popular game Angry Birds.

Initially, the threat was spotted after being posted on GitHub. Later, samples were spotted on Download.com and MacUpdate as well.

Now, ESET warns that the coin thief is being distributed though torrents. The cybercriminals have disguised it as cracked versions of various popular Mac OS X apps.

OSX/CoinThief has been seen as BBEdit, a text editor; Pixelmator, a graphic editor; Delicious Library, a media cataloguing app; and even as Angry Birds.

“There is clearly strong evidence that the trojan was specifically designed to profit from the current Bitcoin craze and fluctuating exchange rates,” security expert Graham Cluley explained on ESET’s WeLiveSecurity blog.

ESET’s LiveGrid shows that most OSX/CoinThief victims are in the United States.

OSX/CoinThief was discovered earlier this month by experts from SecureMac. Since it’s designed to steal login credentials for Bitcoin wallets and other Bitcoin-related services, the malware has been mostly disguised as apps that have something to do with the virtual currency.

For instance, it was first spotted under the name StealthBit, an app uploaded to GitHub. The source code for the app was clean, but a pre-compiled version hid the Mac OS X malware.

A few days later, SecureMac warned that the threat had been spotted on MacUpdate and Download.com under names such as Bitcoin Ticker TTM for Mac and Litecoin Ticker.

When it’s executed, the coin thief installs a web browser extension, depending on what the victim is using. The first variants only had extensions for Safari and Chrome. However, a more recent version also packs a malicious extension for Firefox.

In addition to the extension that monitors the victim’s Web traffic, the Mac malware also installs a component that runs in the background looking for wallet login credentials. When the information is obtained, it’s sent back to a server controlled by the attackers.

There are a couple of clues that reveal the presence of the threat on a computer. The malicious browser extension is called “Pop-Up Blocker.” If you see it, you’re device is probably infected.

Another way to check for the presence of this Mac malware is to open the Activity Monitor in the Utilities folder and look for a process called com.google.softwareUpdateAgent. This is a process created by OSX/CoinThief.

If you’ve seen either of these signs, check out SecureMac’s advisory on how to remove OSX/CoinThief.