A new malware known to target Apple Mac OS X systems and spy on users’ web traffic in order to steal their bitcoins has been discovered just a couple of days back.
Secure Mac, the company responsible for the discovery, has named the Trojan OSX/CoinThief.A. According to the Mac security website, the malware disguises itself as an app to send and receive payments on Bitcoin Stealth Addresses. Instead of these functions, the Trojan spies on users’ web traffic to steal login credentials of their Bitcoin wallets.
“Initial infection occurs when a user installs and runs an app called “StealthBit,” which was recently available for download on GitHub, a website that acts as a repository for open source code”, notes Secure Mac.
“The source code to Stealthbit was originally posted on Github, along with a precompiled copy of the app for download,” Secure Mac said.
According to the website, the precompiled version of the app didn’t match to the version that was created from the source code indicating that the precompiled version contained malicious payload. This means that all those users who downloaded the precompiled version and ran it, ended up with infected systems.
The Trojan monitors users’ traffic for login credentials of popular Bitcoin websites including MtGox, BTC-e, and wallets like blockchain.info. Secure Mac claims that when the credentials are identified by the Trojan, they are sent back to a remote server run by the malware authors.
The Trojan, when run for the first time, installs browser extensions for Safari and the Google Chrome that are equipped with the capabilities to sniff users’ web traffic. The mechanism used to install the extensions leads the browsers to believe that the user intentionally installed them and thus no warning messages are served to the user. Further the Trojan also installs a program that continually checks for Bitcoin wallet credentials, which are then sent back to a remote server.