Mac malware “CookieMiner” targets cryptocurrency users

By | February 1, 2019

In this article By Yue Chen, Cong Zheng, Wenjun Hu and Zhi Xu of Palo Alto Networks’ Unit42 ; authors discuss how technical details of new malware they discovered by Palo Alto Networks’ Unit42, and this strand targeting the Mac platform in particular and users of cryptocurrencies such as Bitcoin, Litecoin, altcoins, etc, using mainstream cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, any website having blockchain in its name, etc.

This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.

It also steals saved passwords in Chrome.

Finally, it seeks to steal iPhone text messages from iTunes backups on the tethered Mac.

By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites.

If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves.

The malware also configures the system to load coinmining software on the system. This software is made to look like an XMRig-type coinminer, which is used to mine Monero. In fact, though, it loads a coinminer that mines Koto, a lesser-known cryptocurrency that is associated with Japan.

Because of the way this malware attacks the cookies associated with exchanges, we have named this malware “CookieMiner”.

Summary
Article Name
Mac Malware Steals Cryptocurrency Exchanges’ Cookies
Description
Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform. This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims. Various other credentials, and configures the system to load Koto coinmining software on the system.
Author
Palo Alto Networks