CookieMiner Malware Tries to Hack Mac Users’ Cryptocurrency Exchange Accounts

CookieMiner Malware

A new form of malware steals cookies from cryptocurrency exchanges and other data in an attempt to hack user accounts, cybersecurity research team Palo Alto Networks reported on Jan. 31.

CookieMiner, a development of OSX.DarthMiner, is a malware target Mac users, stealing saved Google Chrome passwords, iPhone SMS messages and iTunes backups on tethered machines and more.

A new malware threat that steals cryptocurrency on Macs and then uses their resources to mine for more has been identified by security research firm Palo Alto Networks. The threat, which has been named CookieMiner, intercepts browser cookies set by popular cryptocurrency exchanges and wallets, and can also steal passwords stored by Google Chrome. It can even go through iPhone backup files saved on a Mac and scan through a user’s text messages. Unit 42, the threat intelligence division of Palo Alto Networks which discovered the threat, believes that this could help the malware authors bypass a user’s two-factor security protections.

CookieMiner is believed to be based on a known malware called OSX.DarthMiner, which was documented by MalwareBytes in December 2018. Attackers who gain access to a user’s Chromepasswords, cookies and text messages could simply log in to their victims’ cryptocurrency wallets or exchanges and transfer all the money to themselves.

By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites.

If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves.

The malware also configures the system to load coin-mining software on the system. This software is made to look like an XMRig-type coin miner, which is used to mine Monero. In fact, though, it loads a coinminer that mines Koto, a lesser-known cryptocurrency that is associated with Japan.

Because of the way this malware attacks the cookies associated with exchanges, we have named this malware “CookieMiner”.

Along with the cookies, the goal of the malware is to gain access to cryptocurrency exchange accounts. According to Palo Alto, the hackers assume a combination of the stolen data would allow them to bypass the multi-layer authentication that many exchange users set up to provide additional security.

“If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves,” the firm summarized.
As its name suggests, the malware also installs cryptocurrency mining features.

The discovery is just the latest malware to seek out cryptocurrency users as its victims. As Cointelegraph has reported, multiple malicious entities have attempted to take advantage of lax security setups in order to compromise novice crypto traders.

Earlier this month, separate research claimed that around 4.5 percent of the circulating amount of altcoin Monero (XMR) had been mined using nefarious tactics.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,” Palo Alto concluded about CookieMiner.