Bitcoin-Stealing Mac Malware Distributed via and MacUpdate

Experts continue to analyze OSX/CoinThief

Security researchers from SecureMac continue to analyze the Bitcoin-stealing malware that targets Mac OS X users. Experts warn that the threat is being distributed under various names on a number of websites, including on MacUpdate and

So far, the malware, dubbed OSX/CoinThief, has been spotted as BitVanity and StealthBit on GitHub and as Bitcoin Ticker TTM and Litecoin Ticker on and MacUpdate.

In the case of BitVanity and StealthBit, the source code published on GitHub appeared legitimate. However, precompiled binaries available on the code repository site were malicious.

Variants of Bitcoin Ticker TTM and Litecoin Ticker distributed on and MacUpdate have also been found to disguise the Bitcoin-stealing malware. Experts say the Trojan could be distributed on other websites as well, under different names.

The developer of Bitcoin Ticker TTM says that he has only uploaded his application to the Mac App Store. He claims to have never released the source code, which indicates that the cybercriminals distributing OSX/CoinThief are stealing the names of legitimate applications, not necessarily trojanizing the original versions.

MacUpdate has removed the malicious variants of Bitcoin Ticker TTM and Litecoin Ticker, but they’re still available on

According to SecureMac experts, OSX/CoinThief is designed to install a rogue browser extension called Pop-Up Blocker 1.0.0 in Chrome, Safari and Firefox.

“The browser extensions watch your web traffic, looking for specific headers for bitcoin-related websites. They communicate with the background process, which will periodically connect to a remote server (currently offline) to exfiltrate login credentials,” SecureMac’s Nicholas Ptacek explained in a Reddit post.

If you’ve recently installed one of the aforementioned applications and you fear that your computer might be infected, here’s what you can do to see if the malware is present.

Look for a process called “” in the Open Activity Monitor, and for the Pop-up Blocker extension in your web browser. If either of them is present, your computer is probably infected.

For detailed instructions on how to remove OSX/CoinThief, check out Ptacek’s Reddit thread.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s