Mac Users Targeted by Bitcoin-Stealing Trojan
Mac users are being targeted by a new Trojan with an appetite for Bitcoins, according to security firm SecureMac.
OSX/CoinThief.A sneaks onto Mac computers by piggybacking on a tainted copy of Stealthbit, which was advertised as an app to send and receive payments on Bitcoin Stealth Addresses.
Until recently, both the source code & a precompiled version of Stealthbit were available for download on GitHub. However, only the precompiled version of Stealthbit contained OSX/CoinThief.A.
Upon infection, OSX/CoinThief.A quietly installs browser extensions on Safari & Google Chrome to monitor all web traffic and snag login credentials for popular Bitcoin websites, such as MtGox & BTC-e. Stolen Bitcoin credentials are shipped off to a remote server, along with the username, UUID & list of Bitcoin-related apps installed on the infected machine.
To avoid suspicion, the malicious browser extensions installed by OSX/CoinThief.A operate under the name “Pop-up Blocker” & carry an equally generic description that simply states it blocks pop-up windows & other nuisances. Additionally, OSX/CoinThief.A tries to keep away from prying eyes by checking if a number of security & development programs are installed before setting up camp.
A VirusTotal report shows that only 1/50 antivirus solutions will flag this Trojan as a threat, which is Rising Antivirus. That doesn’t do Mac/OS X users any good, though, since Rising Antivirus software only runs on Windows. Rising Antivirus identifies the Trojan as RTF:Malware.OddRTF/Heur!1.9E6F. (Update 4/24/14: The detection rate has increased since this article was first published and 23/50 antivirus solutions now recognize this threat.)
At least one user has already fallen victim to OSX/CoinThief.A. Reddit user allinfinite reported that all of the bitcoins on his computer were stolen after installing Stealthbit on his machine. Meanwhile, comments posted on a separate Reddit thread hint at the possibility that Stealthbit was created by the same person behind another Bitcoin-stealing Trojan, Bitvanity.
Be careful what you download onto your Mac, folks!
Update: SecureMac has confirmed that OSX/CoinThief has distributed under the name BitVanity, along with BitCoin Ticker TTM and Litecoin Ticker. Stealthbit & BitVanity were available on Github, while Bitcoin Ticker TTM & Litecoin Ticker were hosted on download.com and macupdate.com.