Mac "CookieMiner" Malware Aims to Gobble Crypto Funds

A newly-discovered malware is targeting Mac users’ web cookies and credentials in hopes of withdrawing funds on their cryptocurrency exchange accounts.

The malware, discovered this month and aptly named “CookieMiner,” collects cryptocurrency-related cookies – in addition to compromised credentials – and uses them to target exchanges, where cryptocurrencies can be traded for other assets, including other digital currencies.

Using these stolen clues, the bad actor behind the malware is able to sidestep any multifactor authentication security measures in place and purport to be the victim – with the aim of eventually siphoning their funds from their accounts.

“CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages and web cookies,” researchers at Palo Alto Networks’ Unit 42 group said in a Thursday report. “If the bad actors successfully enter the websites using the victim’s identity, they could perform fund withdrawals. This may be a more efficient way to generate profits than outright cryptocurrency mining.”

It should be noted that researchers have not yet seen evidence of the malware author successfully withdrawing funds from an account, but are instead speculating based on the behavior of the malware.

Researchers stressed that stealing cookies is an important step to bypassing login anomaly detection.

If a bad actor merely uses a username and password, the website may issue an alert and request additional authentication — but if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host.

Cookie-Snatching Malware

The CookieMiner attack begins with a shell script that targets MacOS users. Researchers said that they believe the malware has been developed from OSX.DarthMiner, a script known to target the Mac platform that combines the EmPyre backdoor (a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture) and the XMRig cryptominer. Similar to DarthMiner, Cookieminer attackers used EmPyre for post-exploitation control, allowing them to send commands to remotely control the victims’ machines.

Jen Miller-Osborn, deputy director of Threat Intelligence for Unit 42, told Threatpost that researchers are not certain how victims are first infected by the shell script, but they suspect victims download a malicious program from a third-party store.

Once downloaded, the shell script copies the Safari browsers’ cookies to a folder and uploads the folder to a remote server.

The attack targets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet and any website having “blockchain” in its domain name, researchers said.

“Best practice states cookies such as these should be time delimited, among other things, which keeps attacks abusing them from happening,” Miller-Osborn told Threatpost. “However, if an exchange is set up in a way for a cookie to persist for a long time or across sessions, this would conceivably work.”

Other Malicious Behavior

But that’s not all: The malware also performs an array of malicious functions when downloaded on victims’ systems. That includes stealing username, password and credit-card credentials in Chrome, snatching up text messages synced to the Mac, and installing coinmining software to mine cryptocurrency.

After collecting web cookies, the malware turns its attentions to victims’ credentials, which can be gathered to bypass the security authentication methods put forth by the cryptocurrency exchange.

CookieMiner downloads a Python script (called “harmlesslittlecode.py”) which can extract saved login credentials and credit-card information from Google Chrome’s local data storage. It does so through adopting decryption and extraction techniques from the code of Google Chromium, an open-source version of the Google Chrome browser, researchers said.

“By abusing these techniques, CookieMiner attempts to steal credit-card information from major issuers, such as Visa, Mastercard, American Express and Discover,” researchers said. “The user’s saved login credentials are also stolen, including usernames, passwords and the corresponding web URLs.”

Click to Expand.

In addition, CookieMiner steals private keys for cryptocurrency wallets on the system and iPhone text messages backed up on the Mac via iTunes.

Finally, the malware issues a series of commands to configure the victim’s machine to mine cryptocurrency and maintain persistence, including deploying a program under the filename “XMRig2” for mining cryptocurrency. The cryptocurrency mined is called Koto, which is a ZCash-based anonymous cryptocurrency.

But interestingly, the filename XMRig2 is usually used by Monero miners – researchers believe the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency.

Researchers said that moving forward, cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage.

“The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency,” they said. “If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.”