If you remember a while ago, we talked about how a new Trojan programmed to steal bitcoins from infected computers had appeared on the network.
Specifically, the Trojan is about OSX/CoinThief and it has been distributed under four different names so far including BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker.
Among all these variants of names we know that those corresponding to BitVanity and StealthBit were distributed through the Github platform, while Bitcoin Ticker TTM and Litecoin Ticker they did the same through Download.com and MacUpdate.com respectively.
The funny thing is that these names were chosen from legitimate applications from the Mac App Store with the only obvious purpose of deceiving the user, however the worst thing is not this but that when it runs in the background it installs an extension in the browser, either Chrome, Safari or Firefox.
Once installed we will see something like 'Pop-Up Blocker 1.0.0 ″ but nothing is further from the truth, since it will simply be communicating remotely with a server to try to collect the access keys as soon as a Bitcoin-related website is accessed, leaving the malicious process in the background permanently active through a task launchd.
To get rid of it we will have to follow these simple steps:
- We will look for the process "com.google.softwareUpdateAgent" through the Activity Monitor in the Utilities folder.
- Check that we have the extension "Pop-Up Blocker" in Safari, Chrome or another browser, with the aforementioned process present in the Activity Monitor, we must eliminate it.
- We will use commands in the terminal for this, although first we must delete BitVanity, StealhBit ... or any program that has been installed, dragging it to the trash.
- We open the terminal and enter this command:
launchctl unload ~ / Library / LaunchAgents / com.google.softwareUpdateAgent.plist
This will stop the malicious process that is running behind although it may be the case that it returns a "No such file or directory, nothing found to unload" so it would indicate that said process is not running although it is not enough to check it. - The next step is to move the file or malware itself to the desktop and later delete it by dragging it to the trash with the following command:
mv ~ / Library / Application Support / .com.google.softwareUpdateAgent ~ / Desktop / com.google.softwareUpdateAgent - Finally we will only have to move to desktop likewise the file that invokes launchd which is the background process that communicates with the remote server:
mv ~ / Library / LaunchAgents / com.google.softwareUpdateAgent.plist ~ / Desktop / com.google.softwareUpdateAgent.plist
It only remains to eliminate any trace of the extension in the Pop-Up Blocker browser and we would be ready to browse 'more relaxed'.
More info - A Trojan capable of stealing Bitcoins from Macs appears