OSX malware can steal crypto currency
A new malware found that targets Mac users' web cookies and credentials. The malware, discovered this month and aptly named CookieMiner, collects cryptocurrency related cookies and compromised credentials. It uses the information mined to target exchanges, where cryptocurrencies can be traded for other assets, including other digital currencies. The hackers behind the malware are able to sidestep any multi-factor authentication security measures and eventually steal funds from the victims' accounts.
CookieMiner tries bypass the authentication process by stealing a combination of the login credentials, text messages and web cookies. When the hackers gain access to the websites, they may be able to transfer funds. This may be a more efficient way to generate profits than outright cryptocurrency mining. There hasn't been any evidence of successfully withdrawing funds from an account yet. Researchers point out that stealing cookies is an important step to bypassing login anomaly detection. In a given scenario where the hacker enters username and password, the website may issue an alert and request additional authentication but if an authentication cookie is also sent with the username and password, the website might believe the session is associated with a previously authenticated system host.
The CookieMiner begins with a shell script that targets MacOS users. Researchers believe the malware has been developed from OSX.DarthMiner, a script known to target the Mac platform that combines the EmPyre backdoor and the XMRig cryptominer. Similar to DarthMiner, Cookieminer attackers used EmPyre for post exploitation control, allowing them to send commands to remotely control the victims’ machines. Researchers aren't certain how victims get infected by the shell script, but suspect that victims download a malicious program from a third-party store. Once downloaded, the shell script copies the Safari browsers' cookies to a folder and uploads the folder to a remote server. The attack targets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet and any website having blockchain in its domain name.
The malware also steals username, password and credit card credentials in Chrome, stealing text messages synced to the Mac, and installs coin mining software to mine cryptocurrency. CookieMiner downloads a Python script called harmlesslittlecode.py which can extract saved login credentials and credit card information from Google Chrome's local data storage. It does this by adopting decryption and extraction techniques from the code of Google Chromium, an open source version of the Google Chrome browser.
CookieMiner also steals private keys for cryptocurrency wallets on the system and iPhone text messages backed up on the Mac through iTunes. The malware issues commands to configure the victim's machine to mine cryptocurrency by installs a program under the filename XMRig2. The cryptocurrency mined is called Koto, which is a ZCash-based anonymous cryptocurrency.
Best practice states cookies such as these should be time delimited, among other things, which keeps attacks abusing them from happening. However, if an exchange is set up in a way for a cookie to persist for a long time or across sessions, this would conceivably work. Researchers stated that moving forward, cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage. CookieMiner is intended to help hackers make money by collecting credential information and mining cryptocurrency. If hackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.