MacOS Malware Targets Bitcoin, Exodus Cryptowallets

The malware substitutes genuine apps with compromised versions, enabling attackers to pilfer credentials and recovery phrases, thus gaining access to wallets and their contents.

3 Min Read
a bunch of bitcoins laying on internal hardware
Source: Nikolay Vinokurov via Alamy Stock Photo

Fresh malware targeting Apple users in the US and Germany is infecting Bitcoin and Exodus cryptowallet applications with a Trojan distributed through pirated software, according to Kaspersky researchers.

The malware is delivered via cracked applications and can replace Exodus and Bitcoin cryptowallet applications installed on the user's machine with infected versions that steal secret recovery phrases after the wallet is unlocked.

The report, issued this week, noted the attackers use DNS TXT records to deliver an encrypted Python script to their victims as the second stage of infection.

"The wallet application replacement process is straightforward because, at this stage, the malware already has root access to the computer, granted during the first stage of infection," explains Sergey Puzan, security expert at Kaspersky.

The malware simply removes the old application from the "/Applications/" directory and replaces it with a new, malicious one. After installation and the patching process, the applications become operational, and the user is unaware of the malware running in the background.

When users launch these compromised wallet applications, the malware sends data, including seed phrases or wallet passwords, to a command-and-control (C2) server controlled by the attackers.

This can result in the attackers having full control of a victim's digital wallet.

"We don't know why the malware specifically targets 'fresh' macOS versions, but it appears this campaign was still in the development process," Puzan says. "We managed to receive functionality updates for the final stage backdoor but received no commands from the server."

He added there are no specific reasons why attackers focus on macOS 13.6 (Ventura) and higher.

"The only reason malicious actors use cracked versions of applications is to lower the user's guard and prompt them to enter the admin password, thereby granting root access to the malicious process," Puzan explains.

He says the form protection from such threats is to avoid downloading any cracked or modified applications, even from well-known and trusted sources.

"While this isn't a foolproof method, it significantly reduces the chances of compromise," Puzan says. 

John Bambenek, president at Bambenek Consulting, says while the use of pirated applications as a vehicle for malware isn't a particularly new technique, the selection of macOSX applications with functionality to steal cryptocurrency wallets is unique.  

"As the security to prevent stealing cryptocurrency relies on the privacy of the private wallet key and passphrase, stealing both means the attacker can immediately monetize the victim," he explains.

Evolving Threats to Cryptocurrency Wallets 

In 2023, there were numerous malicious campaigns targeting cryptocurrency wallet owners, but the Kaspersky findings indicate that some attackers are now going to greater lengths to ensure they access the contents of their victims' crypto wallets while remaining undetected for as long as possible.

"While it's challenging to predict the threats we'll face in 2024, the increasing popularity of cryptocurrencies is attracting heightened criminal activity," Puzan says. 

Adam Neel, threat detection engineer at Critical Start, notes that malicious actors are adapting their techniques to take advantage of cryptocurrency users' behaviors and preferences.

"They use social engineering tactics, such as offering pirated software, to lure victims into downloading malware," he says. "The malware's ability to replace legitimate wallet applications and continue operating even when the C2 server is unresponsive demonstrates a level of persistence that can be challenging for users to detect and remove."

Bambenek notes many of the OS-provided protections needed to be explicitly disabled to get these applications on the system in the first place, so the biggest defense mechanism is to avoid pirated software and source applications only from the official app store.

"For those users who still want pirated applications, they should keep cryptocurrency applications and their private wallets on secure machines that do not have such software downloaded and installed on it," he says. 

Neel says users must continue to take precautions, especially when storing large amounts of digital currency.

"Cryptocurrency remains an attractive target for cyber criminals, so malicious actors will be motivated to advance their behaviors and technology," he says. 

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights