In this article By Yue Chen, Cong Zheng, Wenjun Hu and Zhi Xu of Palo Alto Networks’ Unit42 ; authors discuss how technical details of new malware they discovered by Palo Alto Networks’ Unit42, and this strand targeting the Mac platform in particular and users of cryptocurrencies such as Bitcoin, Litecoin, altcoins, etc, using mainstream cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, any website having blockchain in its name, etc.
This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.
It also steals saved passwords in Chrome.
Finally, it seeks to steal iPhone text messages from iTunes backups on the tethered Mac.
By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites.
If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves.
The malware also configures the system to load coinmining software on the system. This software is made to look like an XMRig-type coinminer, which is used to mine Monero. In fact, though, it loads a coinminer that mines Koto, a lesser-known cryptocurrency that is associated with Japan.
Because of the way this malware attacks the cookies associated with exchanges, we have named this malware “CookieMiner”.