Mac Bitcoin-stealing Trojan lurks on download sites and GitHub
CoinThief, the recently discovered Bitcoin-stealing Trojan that targets Mac users, has been spotted being offered on several download websites such as CNET’s Download.com and MacUpdate.com, as well as masquerading as precompiled binaries in several GitHub projects.
The malware’s initial variant installs browser extensions for Safari and Google Chrome that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites as well as Bitcoin wallet sites and login credentials.
These newer variants have already been made to include also a browser extension for Firefox (“Pop-Up Blocker 1.0.0”).
“The malware is being distributed disguised as price tickers for Bitcoin (“Bitcoin Ticker TTM for Mac”) and Litecoin (“Litecoin Ticker”), which have been available on download.com since early December. According to the download stats, the malware has been downloaded 57 times,” SecureMac researchers noted.
“The two variants seen by SecureMac share the same name and developer information as two apps found in Apple’s Mac App Store. At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from download.com.”
Fortunately, the two websites have already reacted and removed the malware.
In a Reddit thread initiated by Nicholas Ptacek, lead developer at SecureMac, the developer of Bitcoin Ticker TTM has noted that his original app was never open source, so it seems like his app was never trojanized, and that only its and his name was used to trick users into downloading the malware.
Ptacek also shared that the malware is being distributed on GitHub in the BitVanity and StealthBit projects.
“While the source code for those two projects looked to be legit, the precompiled binaries were definitely malicious,” he confirmed, and wrote in details about how to remove the malware from the system if you have been infected.
Still, it would be probably wrong to assume that the malware is not still being distributed on other download sites and under different names, so be careful when downloading anything, and check for the malicious extension.