CookieMiner targets Mac users to steal from cryptocurrency wallets

• CookieMiner which targets Mac users to steal the contents of cryptocurrency wallets, also plants a cryptojacker in the infected Mac OSX machine.
• The targeted cryptocurrency exchanges include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet.

The newly discovered Mac malware dubbed as CookieMiner targets Mac users to steal the contents of cryptocurrency wallets. Researchers named the malware as CookieMiner because of its ability to steal browser cookies associated with cryptocurrency exchanges and wallet service sites visited by the victim.

The targeted cryptocurrency exchanges include Binance, Coinbase, Poloniex, Bittrex, Mitstamp, and MyEtherWallet.

Planting a cryptojacker

Researchers from Palo Alto Networks discovered the new Mac malware that steals contents of the Cryptocurrency wallets.

They noted that apart from stealing and trading the contents of the cryptocurrency wallets, the malware also plants a cryptojacker in the infected Mac OSX machine. This facilitates the attackers to secretly mine for the additional digital currency. Researchers noted that in this instance, it's Koto, that offers users anonymity and is widely used in Japan.

How CookieMiner gains access to systems remains unknown currently, however, once it gains access to systems, it examines browser cookies with links to cryptocurrency exchanges and wallet service websites.

CookieMiner steals Chrome browser cookies and iPhone text messages

CookieMiner also steals Google Chrome browser cookies from the infected Mac OSX machine. The Mac malware can also steal iPhone text messages from iTunes backups on the tethered Mac.

“By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves,” Researchers from Palo Alto Network explained in a blog.

Researchers explained that CookieMiner steals Google Chrome and Apple Safari browser cookies from the victim's machine and uploads them to a folder on a remote server using a ShellScript. By doing so the malware can extract the login credentials and the browser cookies required to pretend that a new login attempt is coming from the victim’s machine.

“What it wants to do in combination with credentials which it's harvested is impersonate that user from their own system, so they use the cookies to try and get past that initial login without suspicion,” Alex Hinchliffe, a threat intelligence analyst at Palo Alto Networks told ZDNet.

“If the adversary gets access to someone's account on the exchange, they can buy and sell cryptocurrency. Buying and selling a lot could change the price of the cryptocurrency, in which case they can use it to profit,” Hinchliffe added.

CookieMiner’s capabilities

The new Mac malware’s capabilities include,

• Stealing Google Chrome and Apple Safari browser cookies
• Stealing saved login credentials and credit card credentials in Chrome
• Stealing iPhone text messages if backed up to Mac
• Stealing data and keys of Cryptocurrency wallets
• Mining cryptocurrency on the victim's machine
• Gaining full control of the victim using EmPyre backdoor

Researchers further noted that CookieMiner also drops a script for persistence and remote control of the infected machine, allowing them to check-in on the machine and send commands.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,” Palo Alto Researchers concluded.