Skip to content ↓ | Skip to navigation ↓

Researchers have discovered that variants of the OSX/CoinThief malware that targets Mac users and pilfers Bitcoins have been distributed by way of CNET’s Download.com, and had been available on MacUpdate.com until they were removed.

The latest variants of the malicious code are similar to previous versions but have been updated to include a Firefox browser extension, and are marketed as digital price tickers “Bitcoin Ticker TTM for Mac” and “Litecoin Ticker” which have been available the download sites since December.

“The two variants seen by SecureMac share the same name and developer information as two apps found in Apple’s Mac App Store,” the researchers stated. “At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from download.com.”

Softpedia reports that the developer of the Bitcoin Ticker TTM app says that he has made his application available on the Mac App Store, and says he has never released the source code, which makes it likely that the OSX/CoinThief developers are simply using the names of legitimate apps to distribute the malware, and not tainting the legitimate apps.

“Disguised as an app to send and receive payments on Bitcoin Stealth Addresses, OSX/CoinThief.A instead acts as a dropper and installs browser extensions that monitor all web browsing traffic, looking specifically for login credentials for many popular Bitcoin websites, including MtGox and BTC-e, as well as Bitcoin wallet sites like blockchain.info,” the researchers siad.

“When login credentials are identified, such as when a user logs in to check their Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors.”

Read More Here…