SecureMac has discovered a new Trojan Horse called OSX/CoinThief.A, which targets Mac OS X and spies on web traffic to steal Bitcoins. This malware has been found in the wild, and there are multiple user reports of stolen Bitcoins. The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for Bitcoin wallets.
Initial infection occurs when a user installs and runs an app called “StealthBit,” which was recently available for download on GitHub, a website that acts as a repository for open source code. The source code to StealthBit was originally posted on GitHub, along with a precompiled copy of the app for download. The precompiled version of StealthBit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of StealthBit instead ended up with infected systems.
Disguised as an app to send and receive payments on Bitcoin Stealth Addresses, OSX/CoinThief.A instead acts as a dropper and installs browser extensions that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites, including MtGox and BTC-e, as well as Bitcoin wallet sites like blockchain.info. When login credentials are identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors.
Full details of this trojan horse targeting Mac OS X are available on SecureMac. This is a developing story, and SecureMac will update their advisory page as more information becomes available.
New Apple Mac Trojan Called OSX/CoinThief Discovered: