Security website SecureMac has discovered a new Mac OS X trojan called OSX/CoinThief.A disguised in a Bitcoin app called ‘StealthBit’, which spies on user’s web browsing traffic in order to steal Bitcoins, MacRumors is reporting. The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, is found to be stealing login credentials for Bitcoin wallets.
The source details that the app, which was recently posted on open-source website GitHub, installs browser extensions in Safari and Google Chrome looking for login credentials for a number of Bitcoin related websites including MtGox, BTC-e, and blockchain.info. Additionally, the malware installs a program that continually runs in the background, looking for Bitcoin wallet login credentials. Once the app finds these login credentials, it sends them back to the malware’s developer.
The source code to StealthBit was originally posted on GitHub, along with a precompiled copy of the app for download. The precompiled version of StealthBit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of StealthBit instead ended up with infected systems. A user posting over the weekend on Reddit, the popular discussion site, reported losing 20 Bitcoins (currently worth upwards of $12,000 USD) to the thieves.
The security website further notes that the information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID for the infected Mac.