New trojan, “CoinThief,” targets Mac users, steals bitcoins | SC Media
TDR

New trojan, “CoinThief,” targets Mac users, steals bitcoins

February 11, 2014

A new trojan, which steals login credentials for Bitcoin wallets, is targeting Mac users.

According to SecureMac.com, which discovered the threat and revealed information about the malware on Sunday, the trojan, called “OSX/CoinThief.A,” pilfers Bitcoins by intercepting victims' web traffic.

Users have inadvertently installed CoinThief themselves, as it is disguised as an app called “StealthBit” that facilitates Bitcoin payments, the site said. The malicious payload was apparently found in precompiled versions of the StealthBit app, which were available for download at GitHub.com.

SecureMac revealed that, in just one case, CoinThief purloined 20 Bitcoins from a victims' wallet, costing them around $12,000.

“Disguised as an app to send and receive payments on Bitcoin Stealth Addresses, OSX/CoinThief.A instead acts as a dropper and installs browser extensions that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites, including Mt. Gox and BTC-e, as well as Bitcoin wallet sites like blockchain.info,” the site revealed. “When login credentials are identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors.”

CoinThief installs malicious browser extensions for Safari and Google Chrome in order to monitor users' traffic.

In addition to stealing Bitcoin login credentials, the trojan also grabs sensitive information like Mac universally unique identifiers (UUIDs) and the system username.

The exact number of victims has yet to be divulged, but SecureMac revealed that there had already been “multiple user reports of stolen Bitcoins.”

On Tuesday, SCMagazine.com reached out to SecureMac, but did not immediately hear back. In its online post, however, the site did reveal that it would continue to update users on the threat as information became available.

prestitial ad