Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts.
Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on DarthMiner, another Mac malware that was detected in December last year.
Uncovered by Palo Alto Networks' Unit 42 security research team, CookieMiner also covertly installs coin mining software onto the infected Mac machines to secretly mine for additional cryptocurrency by consuming the targeted Mac's system resources.
In the case of CookieMiner, the software is apparently geared toward mining "Koto," a lesser-known, privacy-oriented cryptocurrency which is mostly used in Japan.
However, the most interesting capabilities of the new Mac malware is to steal:
- Both Google Chrome and Apple Safari browser cookies associated with popular cryptocurrency exchanges and wallet service websites.
- Usernames, passwords and credit card information saved in the Chrome web browser.
- Cryptocurrency wallet data and keys.
- iPhone's text messages of victims stored in iTunes backups.
By leveraging the combination of stolen login credentials, web cookies, and SMS data, it would be possible for an attacker to even bypass two-factor authentication for exchange sites and steal cryptocurrencies from the victim's accounts and wallets.
It should be noted that researchers have not yet found any evidence of the attackers successfully withdrawing funds from any user's wallet or account, but are speculating based on the malware's behavior.
What's more? CookieMiner also uses the EmPyre backdoor for post-exploitation control, allowing attackers to send commands to the infected Mac computers for remote control.
EmPyre is a Python post-exploitation agent that checks if the Little Snitch application firewall is running on the victim's machine and if it finds one, it will stop and exit. The agent can also be configured to download additional files.