We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New CoinThief malware discovered

Published February 10th, 2014 at 10:32 AM EST , modified February 10th, 2014 at 10:32 AM EST

A new Mac trojan, named OSX/CoinThief.A by SecureMac, has been discovered. This malware is designed to steal Bitcoins from infected machines, and is disguised as an app intended to be used for sending and receiving Bitcoin payments. Although the average user is not likely to be affected by this, it has cost at least one user around $12,000 in lost Bitcoins, according to SecureMac.

CoinThief iconThe malware was apparently available on Github for a while, pretending to be an open-source app named StealthBit. However, the source code posted on Github did not actually match the code used to create the precompiled binary that was also available on the same Github page. This is the first time, to my knowledge, that this trick has been used, and it points out that just because an app seems to be open source, you can’t rely on the integrity of the app unless you have personally inspected all the code and then compiled the app from that code.

The app itself is not signed with a valid developer ID. This means, of course, that it is blocked by default by the Gatekeeper security system in recent versions of Mac OS X. Of course, someone who is downloading open source software is going to expect this sort of thing, and will likely bypass Gatekeeper in order to open this app.

CoinThiefOnce opened, the app seems to be what it pretends to be, and there’s no sign of any monkey business. The app does not request an admin password, which might tip off a savvy user, or do anything else unexpected. However, in reality, by the time the user sees the window shown here, the app has already dropped its payload into the system.

CoinThief extensionThe first thing the app installs is a browser extension, in both Safari and Chrome (if installed). This extension is deceptively-named “Pop-Up Blocker” and claims to have been made by someone named Eric Wong. Clicking the link to visit the developer’s site goes to the KangoExtensions website. It’s unclear at this time whether KangoExtensions actually has something to do with this malware or whether their identity was stolen for the purpose of making the extension seem more convincing. (Personally, my money would be on the latter… it’s very unlikely that the hacker involved would give himself credit and link to his own site.) It is possible, though, that the Kango framework was used to create the malicious extension.

In addition to the browser extensions, the malware also installs a LaunchAgent that keeps a process alive. The LaunchAgent is placed here:


This obviously seems to belong to Google, but it actually does not. The process that this LaunchAgent keeps running is stored here:

~/Library/Application Support/

Due to the leading ‘.’ (period) character at the beginning of the folder name, this item is hidden from the user. This method of hiding something somewhere inside the user’s home folder is a pretty typical malware trick. Even if the user happens to discover this item, they may not think it’s concerning, although a savvy user would have a big red flag raised by the invisibility.

Once installed, the malware is capable of snooping on all web browsing and Bitcoin-related activities, and can communicate with a command & control server to transmit stolen information back to the hackers and receive new updates. It is unclear at this point whether it includes any other backdoor capabilities.

At this point, samples uploaded to VirusTotal are identified by at most one anti-virus engine at the time of this writing. Other than the limited blocking provided by Gatekeeper, it is also not yet blocked by any version of Mac OS X.

Researchers who want to get their hands on a copy can find the full StealthBit app on VirusTotal with the following SHA-1 checksum:


Tags: , , , , ,

One Comment

  • Nicholas Ptacek says:

    Kango Extensions appears to simply be a framework to create cross-browser extensions. Analysis of both the Safari and Chrome extensions installed by the malware support this theory.

    There are indications that the malware author previously distributed similar malware under the name “BitVanity” as well. An infected user contacted us with a copy of that variant, which we are currently analyzing. We’ll be keeping our initial report on OSX/CoinThief ( updated as further details emerge.

This post is more than 90 days old and has been locked. No further comments are allowed.