Hackers Set Sights on Bitcoin-Stealing Malware

Stephen Yagielowicz

As if the world of bitcoin and its copycats was not cloudy enough, criminal hackers are now targeting bitcoin and other cryptocurrency users via malware injections that can (and have) resulted in the loss of the user’s coins.

While the more rabid of cryptocurrency supporters will likely dismiss these reports as they do all bad news surrounding their choice to use these technologies, even emphasizes that its users should take the time to inform themselves before using bitcoins “for any serious transaction.”

The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that their web browsing traffic is now being monitored by the malicious extensions.

“Bitcoin should be treated with the same care as your regular wallet, or even more in some cases,” states the website. “Bitcoin makes it possible to transfer value anywhere in a very easy way and it allows you to be in control of your money. Such great features also come with great security concerns.”

One underreported “great security concern” is the OSX/CoinThief Mac Trojan.

According to SecureMac’s Nicholas Raba, the company recently discovered a new Trojan known as OSX/CoinThief.A that effectively targets Mac OSX-based computers by spying on all of a user’s web traffic in order to steal any bitcoins that user has.

“This malware has been found in the wild, and there are multiple user reports of stolen bitcoins,” Raba revealed. “The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for bitcoin wallets.”

At the forefront of Apple system security since 1999, SecureMac strives to make Mac users’ computer experience secure and trouble free, via its security and privacy software offerings, MacScan and PrivacyScan.

The company offers an interesting report detailing how the CoinThief malware is initially installed on infected systems, along with data on how it disguises its behavior.

“The malware is taking the place of the main binary in the Trojanized versions of Bitcoin Ticker TTM and Litecoin Ticker, and is set up to run as an agent with a setting for LSUIElement in the Info.plist file. This makes it so the app doesn’t appear in the Dock,” states the SecureMac report. “A copy of the real Bitcoin Ticker TTM/Litecoin Ticker main binary is hidden in the app bundle [so] the first time a user runs the Trojanized version of Bitcoin Ticker TTM or Litecoin Ticker the invisible malware program is launched instead.”

CoinThief is as subtle as it is sophisticated — leaving victims unaware of the attack until they discovered their bitcoins or litecoins were missing — and unrecoverable.

“At run time, the malware program unpacks and installs its payload (the background process and web browser plugins), then moves the correct app binary for Bitcoin Ticker TTM/Litecoin Ticker back into place, and removes the LSUIElement entry from the app’s Info.plist file,” the report explains. “It then launches the original Bitcoin Ticker TTM/Litecoin Ticker app, which is now back in the correct path for the app bundle, and the user is none the wiser that a piece of malware just installed itself on their system.”

Although SecureMac notes that Apple was quick to update XProtect to defend against the two known variants of OSX/CoinThief, it is interesting that Mac rather than Windows users were targeted. Also of significant interest is the vehicle for the attack — where this malware was spread via CNET’s as well as through — two ostensibly “safe” sources for software, from which victims downloaded what they thought were price tickers for the bitcoin and litecoin cryptocurrencies.

The latest version of OSX/CoinThief also included a browser extension for Firefox, which was no doubt popular with power users believing they were ahead of the game — but don’t take that as a bash against the Mozilla folks, as earlier OSX/CoinThief versions already included malicious browser extensions for Apple’s Safari and Google’s Chrome web browsers — all of which are automatically installed without alerting the user.

“The browser extensions were given the generic name of ‘Pop-Up Blocker’ and show a similarly generic description of ‘Blocks pop-up windows and other annoyances,’” the SecureMac report explains. “The malware additionally checks to see if various security programs or code development tools are present on infected systems, which is sometimes done in an attempt to block security researchers from analyzing a piece of malware.”

The report notes that these are only some of the steps taken by malware authors to disguise their payload from casual analysis, leading to greater infection rates.

“The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that their web browsing traffic is now being monitored by the malicious extensions,” the SecureMac report states. “[These] browser extensions look specifically for login credentials for many popular bitcoin websites as well as bitcoin wallet sites such as [and] when login credentials are identified, such as when a user logs in to check their bitcoin wallet balance, another component of the malware then sends that information back to a remote server run by the malware authors.”

This connection with the creators is a two-way street, as OSX/CoinThief can both send as well as receive commands and information from a remote server, which includes the ability to update itself to the newest version — and this exchange of information isn’t limited to the user’s bitcoin login credentials, but according to SecureMac also includes the username and UUID (unique identifier) for the infected Mac, as well as revealing the presence of a variety of bitcoin-related apps on the system for further targeting of users. and are only the newest sources of OSX/CoinThief to be discovered, however, with SecureMac previously reporting on its spread through a GitHub download of the StealthBit app. The BitVanity malware also spread via GitHub.

GitHub is a popular repository for open source code that is trusted by web developers, but SecureMac found that the precompiled version of the StealthBit app available on the site did not match a copy generated from the source code, due to its malicious payload. This infected the systems of users who downloaded and ran the precompiled version of StealthBit — resulting in attacks causing the reported loss of significant bitcoin stashes.

Consider this carefully: the services and tools that many cryptocurrency users employ in hopes of securing and trading their coins are actually putting them at risk of easy theft.

As for who is responsible for the OSX/CoinThief attacks, SecureMac notes that the two variants it has seen share the same name and developer information as two apps found in Apple’s Mac App Store, but that an initial analysis of Mac App Store versions did not include the malicious payload found in the version available from and that it is unclear if there are other variants of OSX/CoinThief being distributed under different names or on other download sites; with more details to be revealed as available.