MacOS Malware Targets Bitcoin, Exodus Cryptowallets

The malware substitutes genuine apps with compromised versions, enabling attackers to pilfer credentials and recovery phrases, thus gaining access to wallets and their contents.

Fresh malware targeting Apple users in the US and Germany is infecting Bitcoin and Exodus cryptowallet applications with a Trojan distributed through pirated software, according to Kaspersky researchers.
The malware is delivered via cracked applications and can replace Exodus and Bitcoin cryptowallet applications installed on the users machine with infected versions that steal secret recovery phrases after the wallet is unlocked.
The report, issued this week,
noted
the attackers use DNS TXT records to deliver an encrypted Python script to their victims as the second stage of infection.
The wallet application replacement process is straightforward because, at this stage, the malware already has root access to the computer, granted during the first stage of infection, explains Sergey Puzan, security expert at Kaspersky.
The malware simply removes the old application from the /Applications/ directory and replaces it with a new, malicious one. After installation and the patching process, the applications become operational, and the user is unaware of the malware running in the background.
When users launch these compromised wallet applications, the malware sends data, including seed phrases or wallet passwords, to a command-and-control (C2) server controlled by the attackers.
This can result in the attackers having full control of a victims digital wallet.
We dont know why the malware specifically targets fresh macOS versions, but it appears this campaign was still in the development process, Puzan says. We managed to receive functionality updates for the final stage backdoor but received no commands from the server.
He added there are no specific reasons why attackers focus on macOS 13.6 (Ventura) and higher.
The only reason malicious actors use cracked versions of applications is to lower the users guard and prompt them to enter the admin password, thereby granting root access to the malicious process, Puzan explains.
He says the form protection from such threats is to avoid downloading any cracked or modified applications, even from well-known and trusted sources.
While this isnt a foolproof method, it significantly reduces the chances of compromise, Puzan says.
John Bambenek, president at Bambenek Consulting, says while the use of pirated applications as a vehicle for malware isnt a particularly new technique, the selection of macOSX applications with functionality to steal cryptocurrency wallets is unique.
As the security to prevent stealing cryptocurrency relies on the privacy of the private wallet key and passphrase, stealing both means the attacker can immediately monetize the victim, he explains.
In 2023, there were numerous malicious campaigns targeting cryptocurrency wallet owners, but the Kaspersky findings indicate that some attackers are now going to greater lengths to ensure they access the contents of their victims crypto wallets while remaining undetected for as long as possible.
While its challenging to predict the threats well face in 2024, the increasing popularity of cryptocurrencies is attracting heightened criminal activity, Puzan says.
Adam Neel, threat detection engineer at Critical Start, notes that malicious actors are adapting their techniques to take advantage of cryptocurrency users behaviors and preferences.
They use social engineering tactics, such as offering pirated software, to lure victims into downloading malware, he says. The malwares ability to replace legitimate wallet applications and continue operating even when the C2 server is unresponsive demonstrates a level of persistence that can be challenging for users to detect and remove.
Bambenek notes many of the OS-provided protections needed to be explicitly disabled to get these applications on the system in the first place, so the biggest defense mechanism is to avoid pirated software and source applications only from the official app store.
For those users who still want pirated applications, they should keep cryptocurrency applications and their private wallets on secure machines that do not have such software downloaded and installed on it, he says.
Neel says users must continue to take precautions, especially when storing large amounts of digital currency.
Cryptocurrency remains an attractive target for cyber criminals, so malicious actors will be motivated to advance their behaviors and technology, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
MacOS Malware Targets Bitcoin, Exodus Cryptowallets