CoinThief Bitcoin Trojan Found on Popular Download Sites

OSX/CoinThief, a Trojan that steals Bitcoin wallet credentials and Bitcoin-QT keys has been found on download sites MacUpdate.com and Download.com.

Phony Bitcoin ticker apps hosted on popular sites Download.com and MacUpdate.com are fronts for the OSX/CoinThief Trojan, which was built to steal Bitcoin wallet credentials and keys, and to date has drained a small number of accounts.

SecureMac lead developer Nicholas Ptacek said new variants of the Trojan targeting Mac OS X users were found on the sites and also include a browser extension for Firefox. Previous versions of CoinThief spread through a GitHub page that has since been taken down and included extensions for Safari and Google Chrome only.

The price ticker apps for Bitcoin and Litecoin are called Bitcoin Ticker TTM (To The Moon) for Mac and Litecoin Ticker. Both have been available on the sites since December; the app on Download.com was downloaded 57 times and the MacUpdate app was downloaded 356 times, Ptacek said. While the Download.com link is still available, the link on MacUpdate was disabled by the site, Ptacek said.

Efforts to contact Download.com were unsuccessful, Ptacek said.

“The two variants seen by SecureMac share the same name and developer information as two apps found in Apple’s Mac App Store,” Ptacek said. “At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from download.com.”

The previously discovered versions of CoinThief installed browser extensions for Safari and Chrome that monitored browser traffic and watched for log-in attempts on pre-loaded Bitcoin exchanges such as Mt. Gox and BTC-e, and wallet sites such as blockchain.info. The extensions, meanwhile, are generically named “Pop-up Blocker,” and arrive with an equally generic description that wouldn’t raise suspicions with the user or security researchers.

Aside from the Firefox extension in this variant, the payload is similar, Ptacek said. In addition sniffing out log-in attempts, it also targets and tries to modify Bitcoin-Qt, stealing addresses and private keys from the sync client.

“This variant actually appears to be an earlier build of the malware, as it is missing much of the code obfuscation employed in the variant we previously analyzed,” Ptacek said.

Two days ago, SecureMac reported its discovery of CoinThief on GitHub. Researchers found StealthBit, which pretended to be an app used to send and receive payments on Bitcoin Stealth Addresses. The attackers hosted source code and a pre-compiled version of StealthBit on code repository; both however were not a match. The pre-compiled app contained the CoinThief malware not present in the source code. Ptacek said the malware connected to a remote server where it sent stolen data.

“Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,”  SecureMac said on its site on Monday.

Ptacek said the remote server was registered in Australia via bitcoinwebhosting[.]net, but appeared to be hosted elsewhere. The remote server was located at www[.]media02-cloudfront[.]com, with a current IP address of 217[.]78[.]5[.]17, but it appears to be down at this time, Ptacek said.

Suggested articles