A new Trojan is being used to pick-pocket bitcoins from Mac OS X users.
The malware, dubbed OSX/CoinThief.A, was discovered by Secure Mac, and works by sniffing web traffic for login information for popular bitcoin sites.
“The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for Bitcoin wallets,” according to the Secure Mac blog.
The Trojan can add itself to the growing list of malware targeting bitcoin users. Last month, researchers at LogRhythm uncovered a campaign that spammed out emails with links leading to bitcoin-stealing malware that infected thousands of users. In addition, the malvertising attack that hit Yahoo users in Europe sought to turn infected computers into bitcoin-mining machines.
In this case, the attack started with an app called ‘StealthBit.’ A precompiled version of the app was posted on GitHub along with its source code. The precompiled version did not match a copy generated from the source code; instead, it contained a malicious payload that infected anyone who downloaded and ran the precompiled version.
Disguised as an app designed to send and receive payments on Bitcoin Stealth Addresses, the Trojan actually acts as a dropper and installs browser extensions that monitor all web traffic on the lookout for login credentials for sites such as BTC-e and Mt. Gox.
“The precompiled version of StealthBit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of StealthBit instead ended up with infected systems,” according to Secure Mac. “A user posting over the weekend on Reddit, the popular discussion site, reported losing 20 Bitcoins (currently worth upwards of $12,000 USD) to the thieves.”
“When login credentials are identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors,” Secure Mac continued.
The first time the user runs the program, the malware installs browser extensions for Safari and Google Chrome without alerting the user. The malware installs a program that continually runs in the background looking for the login information.
“OSX/CoinThief.A can both send information to as well as receive commands from a remote server, including a functionality to update itself to newer versions from the malware author,” according to the blog. “Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system.”
Related: Bitcoin Exchanges Hit By Hackers
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Mandiant Catches Another North Korean Gov Hacker Group
- Microsoft Puts ChatGPT to Work on Automating Cybersecurity
- Video: How to Build Resilience Against Emerging Cyber Threats
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
