“OSX/CoinThief has been distributed under four different names so far: BitVanity, StealthBit, Bitcoin Ticker TTM, and Litecoin Ticker,” SecureMac reports. “BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. Both app names appear to have been taken from legitimate apps in the Mac App Store. The malicious payload was not found in Mac App Store copies of these apps.”
“When run, the malware installs a browser extension in Chrome, Safari, and Firefox, which will appear in those apps as “Pop-Up Blocker 1.0.0” with the description “Blocks pop-up windows and other annoyances.” There are some indications that this name and description were also taken from a legitimate browser extension. The browser extensions watch your web traffic, looking for specific headers for bitcoin-related websites. They communicate with the background process, which will periodically connect to a remote server (currently offline) to exfiltrate login credentials,” SecureMac reports. “The background process is set to be constantly running via a launchd task. Additionally, the background process will check for the presence of Bitcoin-Qt, and appears to be modifying components of Bitcoin-Qt, possibly with the intent of leaking private keys.”
Manual identification and removal instructions in the full article here.
New Bitcoin-stealing trojan, ‘OSX/CoinThief.A,’ targets OS X users – February 10, 2014
Russian authorities say Bitcoin illegal – February 10, 2014
Enraged Bitcoin true believers shoot, smash iPhones after Apple yanks Bitcoin app from App Store – February 6, 2014
Apple pulls ‘Blockchain’ Bitcoin app from iTunes App Store – February 6, 2014
Apple App Store’s rocky relationship with Bitcoin apps – December 10, 2013