New Mac Malware Snatches Browser Cookies to Mine and Swipe Cryptocurrency

The world of cryptocurrency is throbbing with undiscovered data stealing tactics i.e. Ponzi schemes, phishing sites, malware, so-called giveaway etc. which are being used to execute a variety of hacking and stealing activities. One such a program/malware which is part of these tactics was recently discovered by Unit 42, the global threat intelligence team at Palo Alto Network.

This new malware is based on OSX.DarthMiner, a malware known to target the Mac platform and has the ability to steal information (associated with cryptocurrency exchanges & wallets) from the web browsers Chrome or Safari. The malware also installs a crypto mining app on infected machines.

This newly discovered malware is known as CookieMiner and designed to target Mac users by performing a variety of actions related to cryptocurrency mining and theft. The researchers at Palo Alto Networks’ Unit 42 said that the malware is capable of stealing Safari or Chrome cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.

In addition to that, it also steals saved user names, passwords and credit card details on Chrome. CookieMiner also attempts to steal iPhone text messages from iTunes backups on the tethered Mac, which according to Unit 42 researchers, could be used to bypass two-factor authentication (2FA) for cryptocurrency exchanges to steal users’ funds.

The researchers explained:

“Most modern cryptocurrency exchanges and online wallet services have multi-factor authentication. CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages, and web cookies. If the bad actors successfully enter the websites using the victim’s identity, they could perform fund withdrawals. This may be a more efficient way to generate profits than outright cryptocurrency mining.”

Things do not stop here. The Mac malware found by Unit 42 also includes a full-featured backdoor that enables ongoing access on the victim’s machine. This allows the CookieMiner to install and load small cryptocurrency mining program called “xmrig2.”

“The program xmrig2 is a Mach-O executable for mining cryptocurrency. The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency,” the researchers said.

Surprisingly, xmrig2 is programmed to mine Bitcoin or any other popular cryptocurrencies but rather a lesser-known cryptocurrency called “Koto,” used primarily in Japan.

“This is ideal for malware as the victim hosts are not guaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available. However, the filename xmrig2 is usually used by Monero miners. We believe the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency,” concluded Unit 42 researchers.

Sharing Is Caring: