OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

CoinThief may be older than thought

Published February 14th, 2014 at 8:43 PM EDT , modified February 14th, 2014 at 8:43 PM EDT

Monday saw the announcement of a new set of Bitcoin-stealing trojans, which have been named CoinThief. These applications – named BitVanity, StealthBit, Bitcoin Ticker and LItecoin Ticker – were distributed through a variety of sites starting in December of last year. However, another variant of this malware has been uploaded to VirusTotal that may have been in distribution since late April or early May of 2013. Worse, although the other variants are now blocked by XProtect, this new variant is not!

CoinThief-ScreenflickThis variant of CoinThief is an application named Screenflick. It appears to be a modified copy of what looks like a legitimate app. Comparison with the real Screenflick app shows some key differences; most notably, a different executable. The executable and most of the other files in the bundle have creation dates of 4/25/2013. Other portions were created on 5/2 or 5/5. Of course, creation dates aren’t necessarily a guarantee of anything, since they can be changed or may not be accurate in the first place. However, the fact that they’re not all exactly the same does provide a little more plausibility to the idea that this variant dates back to early 2013.

The more recent variants of CoinThief install a browser extension disguised as a pop-up blocker, as well as a hidden process named “com.google.softwareUpdateAgent” kept alive by a LaunchAgent named “com.google.softwareUpdateAgent.plist”. This earlier variant is missing the browser extension. It installs a similar hidden process, but in this case the process is named “com.google.xupdater” and the LaunchAgent is “com.google.xupdater.plist”.

At this time, although the four previously-known trojans are detected by an XProtect update released on Wednesday, testing shows that this variant will run just fine (provided that you bypass Gatekeeper to get it to run). It is also only detected by three of the anti-virus engines used on VirusTotal.

The evidence certainly seems to suggest that this variant has been around for some time. It’s unknown how this was being distributed or how many it may have infected, or whether there may be any other older or newer variants still to be discovered. Fortunately, it isn’t really going to have an impact on anyone who is not using Bitcoins. However, whether you are a Bitcoin user or not, this story underscores the need to be cautious about what you download, and from where… especially when dealing with software that is going to be handling any kind of currency!

Tags: , ,

This post is more than 90 days old and has been locked. No further comments are allowed.