Mac Bitcoin-stealing Trojan lurks on download sites and GitHub
Posted on 13.02.2014
CoinThief, the recently discovered Bitcoin-stealing Trojan that targets Mac users, has been spotted being offered on several download websites such as CNET's Download.com and MacUpdate.com, as well as masquerading as precompiled binaries in several GitHub projects.


The malware's initial variant installs browser extensions for Safari and Google Chrome that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites as well as Bitcoin wallet sites and login credentials.

These newer variants have already been made to include also a browser extension for Firefox ("Pop-Up Blocker 1.0.0").

"The malware is being distributed disguised as price tickers for Bitcoin ("Bitcoin Ticker TTM for Mac") and Litecoin ("Litecoin Ticker"), which have been available on download.com since early December. According to the download stats, the malware has been downloaded 57 times," SecureMac researchers noted.

"The two variants seen by SecureMac share the same name and developer information as two apps found in Apple's Mac App Store. At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from download.com."

Fortunately, the two websites have already reacted and removed the malware.

In a Reddit thread initiated by Nicholas Ptacek, lead developer at SecureMac, the developer of Bitcoin Ticker TTM has noted that his original app was never open source, so it seems like his app was never trojanized, and that only its and his name was used to trick users into downloading the malware.

Ptacek also shared that the malware is being distributed on GitHub in the BitVanity and StealthBit projects.

"While the source code for those two projects looked to be legit, the precompiled binaries were definitely malicious," he confirmed, and wrote in details about how to remove the malware from the system if you have been infected.

Still, it would be probably wrong to assume that the malware is not still being distributed on other download sites and under different names, so be careful when downloading anything, and check for the malicious extension.









Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Sep 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //