Security researchers from SecureMac warn Mac OS X users of a new Trojan that’s designed to steal login credentials for their Bitcoin wallets. The threat has been spotted in the wild.This piece of Mac OS X malware has been dubbed OSX/CoinThief.A. Cybercriminals are distributing it by disguising it as an app called StealthBit, which is allegedly designed to facilitate transactions on Bitcoin Stealth Addresses.
The application’s source code and a pre-compiled version was published on GitHub. Experts say the source code is clean, but the pre-compiled variant hides OSX/CoinThief.A.
Once it infects a computer, the Trojan installs a browser extension that monitors traffic. Then, it waits for victims to visit a Bitcoin wallet website – such as MtGox, blockchain.info or BTC-e –, and steals their credentials.
The stolen information is sent back to the attackers by a different component of OSX/CoinThief.A. A Reddit user has already reported losing 20 Bitcoins.
The malicious browsers extensions are designed for Safari and Chrome. The web browsers don’t warn the victim when the rogue applications are deployed because OSX/CoinThief.A tricks them into thinking that they’re installed by the user.
“Information sent back to the server isn't limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,” experts explained.
The Mac OS X Trojan is also capable of updating itself to a newer variant. The threat also checks to see if any tools that might be used by security researchers are installed on the device.
The browser extension installed by OSX/CoinThief.A is named something like “Pop-Up Blocker.” Users who fear that their devices might be infected should check to see if the component is present in Safari or Chrome.