Just two weeks ago, we reported that a new trojan called CoinThief was stealing thousands of dollars worth of Bitcoin from Mac users. One unfortunate reddit user lost 20 BTC (~$11,340 at the time of this post) due to the malware. CoinThief spread through cryptocurrency-related applications such as Bitcoin Ticker TTM (To The Moon), Litecoin Ticker, BitVanity, and StealthBit. However, security firm ESET has discovered that the trojan is now masquerading as cracked versions of popular Mac applications, including Angry Birds, Pixelmator, BBEdit, and Delicious Library. According to ESET,
“There is clearly strong evidence that the trojan was specifically designed to profit from the current Bitcoin craze and fluctuating exchange rates.
According to detection statistics gathered by the ESET LiveGrid, the threat is mostly active amongst Mac users based in the United States.”
In case you’re not familiar with the malware, CoinThief installs a rogue browser extension that monitors for popular Bitcoin exchanges and wallets like BTC-E and Blockchain respectively. CoinThief also installs a background application (a keylogger) to capture login credentials and send them to a remote server. This makes it really easy for the malware author(s) to steal Bitcoins, since users unwittingly hand over their account credentials to Bitcoin exchanges and wallets.
Detecting and removing CoinThief is not too difficult, and instructions can be found here. If you’re really interested in just exactly how CoinThief works on a deep, code level, check out this analysis at Reverse Engineering Mac OS X. And finally, this should go without saying, but if you want to avoid CoinThief (and other types of malware), avoid pirated software. Official Mac App Store versions of apps like Angry Birds and Pixelmator obviously don’t come bundled with CoinThief. And anyway, if you can spend over $1000 on a Mac, you can surely afford a $5 game.