Several Mac users have recently reported problems caused by a new trojan horse called ‘OSX/CoinThief.A’ that spies on web browsers to steal Bitcoins. The malware is able to infect the computers by hiding inside a downloadable Bitcoin app called StealthBit, which supposedly allows the users to send and receive anonymous crypto-payments.
The piece of malware was discovered by the website SecureMac. Their article explains that the app “covertly monitors all web browsing traffic in order to steal login credentials for Bitcoin wallets”.
One Redditor shared online he had lost 20 BTC, the equivalent to almost $13,000 at the current exchange rate, as a result of the ‘CoinThief’ trojan embedded in StealthBit, ReadWrite reports.
All the Bitcoins stored on my computer (~20btc) got send to this address: 1NkzRYkPWvz63wuLVAjb2wC6xTVQJjhNW from my encrypted multibit wallet. I foolishly installed ‘StealthBit’. Anyone else find this to be a virus? The post is still online. I found one comment suggesting the possibility.
The StealthBit app was originally posted on the open-source repository GitHub, a website that acts as a repository for open source code. However, the precompiled version of the app contained a malicious payload, so when users downloaded the application the trojan discreetly installed its extensions into the Google Chrome or Safari web browsers.
Then, the malware investigates the browsers looking for login credentials for Bitcoin-related websites such as BTC-e or Blockchain. Once the information is found, the app will send it back to remote servers owned by the malware’s developer.
According to the article published on ReadWrite, the malware’s author may be connected to Reddit user ‘trevorscool’, who advertised StealthBit on the online platform in the beginning of February. That same username is similar to the one — ‘Thomasrevor’ — that was used to upload StealthBit to GitHub.
If you have downloaded the ‘StealthBit’ app, the first step to protect your digital savings is to isolate the extensions that spy on your browser’s activity. The malware’s author purposely gave the extensions the name ‘Pop-Up Blocker’, with the description ‘Blocks pop-up windows and other annoyances’, in order to disguise them. If you find these files on your browser, delete them immediately and report the issue directly to Apple.
Meanwhile, in a related note, SecureMac has also discovered that variants of OSX/CoinThief are being actively distributed through CNET’s Download.com and MacUpdate.com. This means that hundreds of Mac users have already been exposed to the malware.
These variants of the original trojan are being distributed disguised as price tickers for Bitcoin and Litecoin and work in a similar way to previously known copies. The difference is that these variants, available at Download.com since early December and downloaded 57 times since then, include a fresh new browser extension for Firefox.