Security research site SecureMac has discovered a new trojan horse that is targeted for OS X systems, and which spies on internet traffic use to steal Bitcoins.
The trojan, called OS X/CoinThief.A, is disguised as a standard OS X application called StealthBit, which was recently uploaded to GitHub. While advertised as a legitimate project for receiving Bitcoin payments on Bitcoin Stealth Addresses (a key encryption routine for securing a bitcoin transfer), the StealthBit instead was a guise to install malicious tracker software on unsuspecting Mac users.
The project page on GitHub included source code along with precompiled binaries for those without the means to compile their own. While this is a common and convenient practice for GitHub projects, in this case the precompiled binary did not match the project's source code, and instead contained the malware for tracking user's Web activity.
When downloaded and run, the binary would install a browser extension in the user's home folder that would run when Safari or another Web browser was launched. This extension would then monitor the sites that users visit, and log credentials entered into them, in order to send account information for BitCoin sites, along with information about the user's system, to third party servers.
In order to disguise the extension, the criminals behind it have given it generic names like "Pop-up blocker," and attempted to prevent its discovery by having it search for installations of common anti-malware tools and not install on systems containing them.
Being a relatively new growing market with recent prices closing at around $700 per coin, BitCoin trading has attracted a number of attempts to mine, steal, and otherwise capitalize on this currency, and this latest malware is only the latest attempt to do so.
For now, not much is know about OSX/CoinThief.A, and SecureMac and other security analysts are continuing to investigate the malware; however, if you have recently downloaded a BitCoin management tool from GitHub, then for now you can check your browser's active extensions to see if any are present that you did not specifically install.
For Safari users, you can go to the Extensions section of Safari's preferences to view active extensions. For Firefox, you can select Add-ons from the Tools menu, and then click the Extensions section, and in Chrome you can select Extensions from the Window menu. If you find unknown extensions in these locations, then you can disable or remove them, but then re-check periodically to see if they reappear, as such activity would indicate a persistent component of the malware that keeps the extension installed and active.
This malware is known to install background tasks that launch automatically when users log into their accounts. These routines are generally managed by Launch Agent scripts, which are located in the username > Library > LaunchAgents folder. While launch agents are commonly used by updaters and other programs you run to give you alerts and to schedule update checks, they are also used by malware developers to keep malicious programs alive in the background.
By opening each launch agent and checking the "Program Arguments" or "Program" key, you can see what executable (and its corresponding path) is being targeted by that launch agent, and then check various online sources such as the Apple Support Communities to see if the paths and executables are legitimate.
Unfortunately, sometimes launch agent manipulation by malware developers can be somewhat difficult to identify, especially since a launch agent and executable can be easily masked to look legitimate. Therefore, if you are uncertain of how to look for and remove malware, you might use a reputable anti-malware scanner that has been updated to identify CoinThief.A.
As the investigation into this malware develops, definitions for it and any future variants of it will become available, and which can be used to better detect its presence and remove it from an infected system.