educational

Hackers Set Sights on Bitcoin-Stealing Malware

As if the world of bitcoin and its copycats was not cloudy enough, criminal hackers are now targeting bitcoin and other cryptocurrency users via malware injections that can (and have) resulted in the loss of the user’s coins.

While the more rabid of cryptocurrency supporters will likely dismiss these reports as they do all bad news surrounding their choice to use these technologies, even Bitcoin.org emphasizes that its users should take the time to inform themselves before using bitcoins “for any serious transaction.”

The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that their web browsing traffic is now being monitored by the malicious extensions.

“Bitcoin should be treated with the same care as your regular wallet, or even more in some cases,” states the Bitcoin.org website. “Bitcoin makes it possible to transfer value anywhere in a very easy way and it allows you to be in control of your money. Such great features also come with great security concerns.”

One underreported “great security concern” is the OSX/CoinThief Mac Trojan.

According to SecureMac’s Nicholas Raba, the company recently discovered a new Trojan known as OSX/CoinThief.A that effectively targets Mac OSX-based computers by spying on all of a user’s web traffic in order to steal any bitcoins that user has.

“This malware has been found in the wild, and there are multiple user reports of stolen bitcoins,” Raba revealed. “The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for bitcoin wallets.”

At the forefront of Apple system security since 1999, SecureMac strives to make Mac users’ computer experience secure and trouble free, via its security and privacy software offerings, MacScan and PrivacyScan.

The company offers an interesting report detailing how the CoinThief malware is initially installed on infected systems, along with data on how it disguises its behavior.

“The malware is taking the place of the main binary in the Trojanized versions of Bitcoin Ticker TTM and Litecoin Ticker, and is set up to run as an agent with a setting for LSUIElement in the Info.plist file. This makes it so the app doesn’t appear in the Dock,” states the SecureMac report. “A copy of the real Bitcoin Ticker TTM/Litecoin Ticker main binary is hidden in the app bundle [so] the first time a user runs the Trojanized version of Bitcoin Ticker TTM or Litecoin Ticker the invisible malware program is launched instead.”

CoinThief is as subtle as it is sophisticated — leaving victims unaware of the attack until they discovered their bitcoins or litecoins were missing — and unrecoverable.

“At run time, the malware program unpacks and installs its payload (the background process and web browser plugins), then moves the correct app binary for Bitcoin Ticker TTM/Litecoin Ticker back into place, and removes the LSUIElement entry from the app’s Info.plist file,” the report explains. “It then launches the original Bitcoin Ticker TTM/Litecoin Ticker app, which is now back in the correct path for the app bundle, and the user is none the wiser that a piece of malware just installed itself on their system.”

Although SecureMac notes that Apple was quick to update XProtect to defend against the two known variants of OSX/CoinThief, it is interesting that Mac rather than Windows users were targeted. Also of significant interest is the vehicle for the attack — where this malware was spread via CNET’s Download.com as well as through MacUpdate.com — two ostensibly “safe” sources for software, from which victims downloaded what they thought were price tickers for the bitcoin and litecoin cryptocurrencies.

The latest version of OSX/CoinThief also included a browser extension for Firefox, which was no doubt popular with power users believing they were ahead of the game — but don’t take that as a bash against the Mozilla folks, as earlier OSX/CoinThief versions already included malicious browser extensions for Apple’s Safari and Google’s Chrome web browsers — all of which are automatically installed without alerting the user.

“The browser extensions were given the generic name of ‘Pop-Up Blocker’ and show a similarly generic description of ‘Blocks pop-up windows and other annoyances,’” the SecureMac report explains. “The malware additionally checks to see if various security programs or code development tools are present on infected systems, which is sometimes done in an attempt to block security researchers from analyzing a piece of malware.”

The report notes that these are only some of the steps taken by malware authors to disguise their payload from casual analysis, leading to greater infection rates.

“The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that their web browsing traffic is now being monitored by the malicious extensions,” the SecureMac report states. “[These] browser extensions look specifically for login credentials for many popular bitcoin websites as well as bitcoin wallet sites such as blockchain.info [and] when login credentials are identified, such as when a user logs in to check their bitcoin wallet balance, another component of the malware then sends that information back to a remote server run by the malware authors.”

This connection with the creators is a two-way street, as OSX/CoinThief can both send as well as receive commands and information from a remote server, which includes the ability to update itself to the newest version — and this exchange of information isn’t limited to the user’s bitcoin login credentials, but according to SecureMac also includes the username and UUID (unique identifier) for the infected Mac, as well as revealing the presence of a variety of bitcoin-related apps on the system for further targeting of users.

Download.com and MacUpdate.com are only the newest sources of OSX/CoinThief to be discovered, however, with SecureMac previously reporting on its spread through a GitHub download of the StealthBit app. The BitVanity malware also spread via GitHub.

GitHub is a popular repository for open source code that is trusted by web developers, but SecureMac found that the precompiled version of the StealthBit app available on the site did not match a copy generated from the source code, due to its malicious payload. This infected the systems of users who downloaded and ran the precompiled version of StealthBit — resulting in attacks causing the reported loss of significant bitcoin stashes.

Consider this carefully: the services and tools that many cryptocurrency users employ in hopes of securing and trading their coins are actually putting them at risk of easy theft.

As for who is responsible for the OSX/CoinThief attacks, SecureMac notes that the two variants it has seen share the same name and developer information as two apps found in Apple’s Mac App Store, but that an initial analysis of Mac App Store versions did not include the malicious payload found in the version available from Download.com and that it is unclear if there are other variants of OSX/CoinThief being distributed under different names or on other download sites; with more details to be revealed as available.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More