CoinThief, a Bitcoin-stealing Trojan targeting Mac users, was discovered offering on several download websites such as CNET’s Download.com and MacUpdate.com. It was also available masquerading as pre compiled binaries in multiple GitHub projects.
The malware variant installs a browser extensions for Safari and Google Chrome to monitor all web browsing traffic, specifically looking for login credentials for Bitcoin websites and Bitcoin wallet.The newer variants looks for browser extension for Firefox -“Pop-Up Blocker 1.0.0”.The malware is being distributed disguised as price tickers for Bitcoin (“Bitcoin Ticker TTM for Mac”) and Litecoin (“Litecoin Ticker”), which have been available on download.com since early December. According to the download stats, the malware has been downloaded 57 times.
“The malware is taking the place of the main binary in the trojanized versions of Bitcoin Ticker TTM and Litecoin Ticker, and is set up to run as an agent with a setting for LSUIElement in the Info.plist file. This makes it so the app doesn’t appear in the Dock. A copy of the real Bitcoin Ticker TTM/Litecoin Ticker main binary is hidden in the app bundle. The first time a user runs the trojanized version of Bitcoin Ticker TTM or Litecoin Ticker, the invisible malware program is launched instead.” – SecureMac researchers
“Then the malware program unpacks and installs its payload (a background process and web browser plugins), then moves the correct app binary for Bitcoin Ticker TTM/Litecoin Ticker back into place, and removes the LSUIElement entry from the app’s Info.plist file.
Later it launches the original Bitcoin Ticker TTM/Litecoin Ticker app, which is now back in the correct path for the app bundle, and the user is none the wiser that a piece of malware just installed itself on their system.”
You can read more on about the research from SecureMac
Nicholas Ptacek – lead developer at SecureMac and developer of Bitcoin Ticker TTM informed users on reddit saying his original app was never open source and hence his app was never trojanized. The fraudsters are using his name to trick users into downloading the malware. He further requested users to download from apple because he says thats the only place he can trust at this point.