February 13, 2014

Malicious programs for mining and stealing digital currency are a very common type of threat for Windows PCs. However, virus writers do not disregard other platforms. One of the virus definitions recently added to the Dr.Web virus database as Trojan.CoinThief is designed to steal bitcoins on Apple-manufactured computers.

Doctor Web's security researchers know of several Trojan.CoinThief modifications. The first samples were discovered in autumn 2013 when the bitcoin exchange rate was growing rapidly. The program is disguised as legitimate mining applications, such as BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker. Trojan.CoinThief infects computers running Mac OS X.

It consists of several components: the installer which is distributed in the guise of a legitimate application; the agent which performs a variety of tasks (for example, it processes intercepted data, checks which applications are installed in the system, and updates itself); as well as browser extensions for filtering traffic, performing the functions of the agent, and communicating with the intruder’s command and control (C&C) server. The malware’s main objective is to monitor traffic and private data transmitted by bitcoin mining applications. Also, if Bitcoin-Qt is installed on an infected computer, Trojan.CoinThief modifies this program and steals the private data stored by the application. Criminals can use the information obtained to conduct unauthorised transactions using the victim's digital currency.

Trojan.CoinThief’s signature has been added to the virus database, so Macs that have Dr.Web for Mac OS X installed on them are fully protected from this threat.