osx.cointhief (Back to overview)


CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

It was spreading in early 2014 from several different sources:
- on Github (where the trojanized compiled binary didn’t match the displayed source code), o
- on popular and trusted download sites line CNET's or, and
- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.

The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

The backdoor enabled the attacker to take full control over the victim’s computer:
- collect information about the infected computer
- execute arbitrary shell scripts on the target computer
- upload an arbitrary file from the victim’s hard drive to a remote server
- update itself to a newer version

2016-03-21AT&T CybersecurityEddie Lee, Krishna Kona
@online{lee:20160321:os:892f883, author = {Eddie Lee and Krishna Kona}, title = {{OS X Malware Samples Analyzed}}, date = {2016-03-21}, organization = {AT&T Cybersecurity}, url = {}, language = {English}, urldate = {2019-11-17} } OS X Malware Samples Analyzed
Careto CoinThief FlashBack
2014-02-16Put As blogosxreverser
@online{osxreverser:20140216:analysis:448d0df, author = {osxreverser}, title = {{Analysis of CoinThief/A "dropper"}}, date = {2014-02-16}, organization = {Put As blog}, url = {}, language = {English}, urldate = {2020-01-06} } Analysis of CoinThief/A "dropper"

There is no Yara-Signature yet.