A new Trojan is being used to pick-pocket bitcoins from Mac OS X users.
The malware, dubbed OSX/CoinThief.A, was discovered by Secure Mac, and works by sniffing web traffic for login information for popular bitcoin sites.
“The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for Bitcoin wallets,” according to the Secure Mac blog.
The Trojan can add itself to the growing list of malware targeting bitcoin users. Last month, researchers at LogRhythm uncovered a campaign that spammed out emails with links leading to bitcoin-stealing malware that infected thousands of users. In addition, the malvertising attack that hit Yahoo users in Europe sought to turn infected computers into bitcoin-mining machines.
In this case, the attack started with an app called ‘StealthBit.’ A precompiled version of the app was posted on GitHub along with its source code. The precompiled version did not match a copy generated from the source code; instead, it contained a malicious payload that infected anyone who downloaded and ran the precompiled version.
Disguised as an app designed to send and receive payments on Bitcoin Stealth Addresses, the Trojan actually acts as a dropper and installs browser extensions that monitor all web traffic on the lookout for login credentials for sites such as BTC-e and Mt. Gox.
“The precompiled version of StealthBit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of StealthBit instead ended up with infected systems,” according to Secure Mac. “A user posting over the weekend on Reddit, the popular discussion site, reported losing 20 Bitcoins (currently worth upwards of $12,000 USD) to the thieves.”
“When login credentials are identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors,” Secure Mac continued.
The first time the user runs the program, the malware installs browser extensions for Safari and Google Chrome without alerting the user. The malware installs a program that continually runs in the background looking for the login information.
“OSX/CoinThief.A can both send information to as well as receive commands from a remote server, including a functionality to update itself to newer versions from the malware author,” according to the blog. “Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system.”
Related: Bitcoin Exchanges Hit By Hackers