Researchers have uncovered a new piece of malware targeting Macs that has the ability to steal a variety of information, including saved passwords, text messages, and cookies associated with cryptocurrency exchange sites. The malware also installs a cryptomining app on infected machines.
The recently discovered malware is known as CookieMiner and researchers from Palo Alto Networks’ Unit 42 team found that in addition to the data-stealing capabilities, it also includes a full-featured backdoor that enables persistence on the machine. But the major innovation in CookieMiner is its theft of cryptocurrency exchange browser cookies, a feature that could allow the attackers to remove funds from any of the exchanges.
“Most modern cryptocurrency exchanges and online wallet services have multi-factor authentication. CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages, and web cookies. If the bad actors successfully enter the websites using the victim’s identity, they could perform fund withdrawals. This may be a more efficient way to generate profits than outright cryptocurrency mining,” wrote Yue Chen, Cong Zheng, Wenjun Hu and Zhi Xu in a post on the new malware.
“The CookieMiner attack begins with a shell script targeting MacOS. As shown in Figure 1, it copies the Safari browser’s cookies to a folder, and uploads it to a remote server (46.226.108[.]171:8000). The server hosts the service “curldrop”, which allows users to upload files with curl. The attack targets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having ‘blockchain’ in its domain name.”
CookieMiner targets both the Safari and Chrome browsers and uses a variety of techniques in order to grab different types of data. Among the files that the malware looks for are private keys for cryptocurrency wallets and backup files for iPhone texts. Some users backup their SMS messages and other data to their computers through iTunes rather than using iCloud, and the CookieMiner malware will steal those backups if they’re found.
Another piece of the puzzle is the small cryptocurrency mining program that CookieMiner installs. The program, called Xmrig2, doesn’t try to mine Bitcoin or Monero, but rather a lesser-known cryptocurrency used mainly in Japan.
“The program xmrig2 is a Mach-O executable for mining cryptocurrency. The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency,” the researchers said.
It also has a function that is designed to run well on CPUs rather than GPUs, which are more powerful and widely used for mining rigs.
“This is ideal for malware as the victim hosts are not guaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available. However, the filename xmrig2 is usually used by Monero miners. We believe the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency,” the Unit 42 researchers said.