Mac Malware Steals Cryptocurrency Exchanges’ Cookies (Jan 31, 2019)
Palo Alto Networks’ researchers have found a new strain of cryptocurrency mining malware that specifically targets macOS operating systems. The malware, dubbed “CookieMiner,” is a variant of the “OSX.DarthMiner” malware. The Malware initiates its attack with a shell script that targets macOS, and copies the Safari browser’s cookies to a folder and uploads those to a remote server. It also targets Google Chrome with a python script that extracts saved credentials and credit card information from Chrome’s local data storage. CookieMiner’s is capable of installing the “EmPyre” backdoor, mining cryptocurrency, in addition to stealing various forms of data. The data it aims to steal include: stealing cryptocurrency wallet data and keys, Google Chrome and Apple Safari browser cookies, iPhone’s text messages if backed up, saved credit card credentials in Chrome, and saved usernames and passwords in Chrome. The various forms of data the malware is capable of stealing may allow threat actors to bypass forms of multi-factor authentications. The malware mines for the “Koto” cryptocurrency which is associated with Japan specifically.
Recommendation: It is unclear how the CookieMiner malware is able to obtain initial access to a device or compromise a website’s cookies script. Cryptocurrency miners cause a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners are running unknowingly. In addition, it is not uncommon for cryptocurrency mining malware to be distributed via malicious plugins/add-ons that impersonate legitimate software. Therefore, it is important that your employees are educated about such tactics and that policies regarding permitted software on work machines are in place.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.