Mac Users Hit By Bitcoin-Stealing Trojan

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

A bitcoin-stealing Mac OS X Trojan has been reported in the wild, disguised as a payments application

Mac users are being targeted by a Trojan horse that monitors web activity in order to steal the Bitcoin digital currency, according to Mac security researchers SecureMac.

The Trojan, which SecureMac calls OSX/CoinThief.A, is hidden as a malicious payload attached to a program called StealthBit, an application for sending and receiving payments using an anonymous payments scheme called Bitcoin Stealth Addresses. The malware has been reported in the wild, with one user reporting having lost 12 bitcoins as a result of an infection, worth around £7,500.

Malicious payload

Source code for StealthBit available on the GitHub code repository appeared to be legitimate, but a precompiled version of the program contained the CoinThief malware, according to SecureMac. The program has now been removed from GitHub.

Bitcoin (c) Carlos Amarillo, Shutterstock“Disguised as an app to send and receive payments on Bitcoin Stealth Addresses, OSX/CoinThief.A instead acts as a dropper and installs browser extensions that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites, including MtGox and BTC-e, as well as Bitcoin wallet sites like blockchain.info,” SecureMac said in an advisory published on Sunday. “When login credentials are identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors.”

CoinThief invisibly installs browser extensions for Safari and Google Chrome that monitor browsing traffic. It also installs a program that runs in the background looking for Bitcoin wallet credentials to send to a remote server. The malware can also receive remote commands, including updates.

Aside from login credentials, the malware also sends username and UUID identifier data for the infected Mac, as well as a list of bitcoin-related applications installed on the system.

The malware disguises the browser extensions by labelling them as pop-up blockers, and checks for certain security programs or code development tools on the infected system, according to SecureMac. The company recommends using security software to protect systems against this and similar threats.

Volatility

The currency has been hit by wide fluctuations in its value in recent weeks, for instance losing more than one-quarter of its value over the past weekend after Mt Gox, one of the largest and oldest virtual currency exchanges, temporarily suspended all withdrawal orders due to an issue within the Bitcoin peer-to-peer protocol.

The currency has also been affected by ongoing questions over its acceptance, with the Russian government recently declaring it illegal and the governments of China and the EU issuing warnings against Bitcoin, with concerns including a lack of consumer protections and the currency’s use in money laundering. Apple last week removed Blockchain, the only iOS Bitcoin trading application, from the iPhone App Store.

On the other hand, entrepreneur Marc Andreessen has said he sees a bright future for Bitcoin, while organisations such as the University of Cumbria have agreed to accept bitcoin payments.

Are you a security pro? Try our quiz!