The Inquirer-Home

Trojan steals Bitcoins from Mac OS X users

Disguised as an app, it spies on web traffic to steal login credentials
Mon Feb 10 2014, 17:09
Malware cyber criminal

A TROJAN has been found to be stealing Bitcoins from Mac OS X users by spying on their web traffic.

The Trojan called OSX/CoinThief.A was discovered by Secure Mac after multiple user reports of stolen Bitcoins.

"The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for Bitcoin wallets," Secure Mac explained.

Infection by the Trojan occurs when a user installs and runs an app called "Stealthbit", which recently was available for download on Github.

"The source code to Stealthbit was originally posted on Github, along with a precompiled copy of the app for download," Secure Mac said.

"The precompiled version of Stealthbit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of Stealthbit instead ended up with infected systems."

Disguised as an app, the Trojan sends and receives payments on Bitcoin stealth addresses. It acts as a dropper and installs browser extensions that monitor all web browsing traffic, looking specifically for login credentials for popular Bitcoin websites, including Mt Gox and BTC-e, as well as Bitcoin wallet websites like

Once the login credentials have been identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors, disclosing the user's information.

"Upon running the program for the first time, the malware installs browser extensions for Safari and the Google Chrome web browser, without alerting the user," Secure Mac explained. "The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions."

The malware installs a program that continually runs in the background, looking for Bitcoin wallet login credentials, which are then sent back to a remote server. OSX/CoinThief.A can both send information to as well as receive commands from a remote server, including a functionality to update itself to newer versions from the malware author.

Information sent back to the server includes the username and unique identifier (UUID) for the infected Mac, as well as which Bitcoin related apps are on the user's system.

"The malware additionally checks to see if various security programs or code development tools are present on an infected system, which is sometimes done in an attempt to block security researchers from analysing a piece of malware," Secure Mac added.

We have contacted Apple to see if it is aware of the malware, but at the time of writing it had not responded. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?