A new Mac OS X trojan has been discovered by SecureMac. The trojan, called OSX/CoinThief.A, monitors a users’ web browsing in order to steal Bitcoins.
The trojan, called OSX/CoinThief.A, is disguised as an innocuous Bitcoin app called StealthBit that purports to send and receive anonymous payments.
The malware installs extensions in Safari and Google Chrome browsers, and then monitors traffic, looking for login credentials for various Bitcoin related websites. When the app finds login credentials, it transmits the information back to the developer of the malware. Affected Bitcoin related sites include MtGox, BTC-e, and blockchain.info.
SecureMac describes how the trojan works:
Initial infection occurs when a user installs and runs an app called “StealthBit,” which was recently available for download on GitHub, a website that acts as a repository for open source code. The source code to StealthBit was originally posted on GitHub, along with a precompiled copy of the app for download. The precompiled version of StealthBit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of StealthBit instead ended up with infected systems. A user posting over the weekend on Reddit, the popular discussion site, reported losing 20 Bitcoins (currently worth upwards of $12,000 USD) to the thieves.
If you believe you may have been infected, check your browser extensions in Safari and Google Chrome for generic “Pop-Up Blocker” extensions.