Always Remember: With Gusto Comes Data Loss.

Mac Malware – OSX/CoinThief – How to Identify and Remove It

XProtectI noticed the other day that my XProtect file had been updated for the first time in quite a while. The reason this caught my eye is because prior to this update, the last one was back in October of 2013, and I hadn’t heard of any new threat. So I decided to do some digging. For those that don’t know what XProtect does, it is Apples very simple built-in Anti-Virus. It doesn’t have all the bells and whistles that you would expect from a normal AV solution, but what it does, it does pretty well. Essentially, Apple has given themselves a way to automatically help keep users protected from the most serious malware problems, without requiring them to purchase an AV.

As it turns out, there is a piece of malware floating around called OSX/CoinThief targeting Macs. As the name would imply, its goal is to steal Bitcoins from the victim. It accomplishes this by installing malicious browser plugins (for Firefox, Chrome, and Safari) that monitor user activity on the web and look for login credentials to popular Bitcoin wallet sites. This plugin disguises itself under the name “Pop-Up Blocker”. Once it successfully captures these credentials, it passes them off to a background process (com.google.softwareUpdateAgent) that it runs, in order to upload them to a command and control server.

OSX/CoinThief was originally spread through compromised downloads on CNET’s download.com, as well as MacUpdate.com. The malware was disguised as legitimate Bitcoin tickers (BitVanity, StealthBit, Bitcoin Ticker TTM, or Litecoin Ticker), ensuring that a larger portion of the downloaders would actually have Bitcoins to steal.

AngryBirdsRecently though, a new vector for OSX/CoinThief has been seen making its rounds on torrent sites. It has been found hidden in popular cracked programs, including BBEdit, Angry Birds, Delicious Library, and Pixelmator. It functions exactly the same as the original malware, it just seems to be an attempt to spread the malware to a larger audience. According to ESET’s Live Grid, most of the infections to date are in the US.

The update to XProtect came only two days after the malware was initially discovered, indicating that Apple certainly still has their ear to the ground after the Flashback hoopla. However, as I mentioned earlier, XProtect is only a very simple solution. It seems to be sufficient thus far, but for anyone with real security concerns, I would still recommend investing in a true Anti-Virus. My personal preference at the moment is ESET’s Cyber Security (Pro). It consistently gets top marks in every independent AV review, has a very small system footprint, and very little impact on system operation.

If you would like to manually check for OSX/CoinThief there are two ways you can do so:

  1. Open your web browser (I guess since you are reading this you already have it open) and check your plugins/extensions for one called “Pop-Up Blocker”.
  2. Open Activity Monitor and search for a process called “com.google.softwareUpdateAgent”

To manually remove OSX/CoinThief you will have to do a little work in Terminal. If you are comfortable with this, please proceed – if not, go download a free trial of ESET.

  1. Remove the infected program (BitVanity, StealthBit, Bitcoin Ticker TTM, or Litecoin Ticker, BBEdit, Angry Birds, Pixelmator, or Delicious Library – to date)
  2. Open Terminal and run the following commands:
  3. launchctl unload ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist
    rm ~/Library/Application Support/.com.google.softwareUpdateAgent
    rm ~/Library/LaunchAgents/com.google.softwareUpdateAgent.plist

  4. Open your web browsers and delete the extension/plugin “Pop-Up Blocker”
  5. Don’t forget to change your passwords to any Bitcoin wallets you have!

Leave a comment

Your email address will not be published. Required fields are marked *