CookieMiner Steals Cryptocurrency Exchange Account Info From MacOS Users

The MacOS immunity to malware is a myth that has been already busted on numerous occasions. Now, cybersecurity experts from Palo Alto Networks have discovered another specimen of a malicious bug — based on OSX.DarthMiner. This bug makes its way to the much-vaunted Apple operating system to steal cookie data from cryptocurrency exchanges and other sensitive information — like saved passwords and credit cards numbers — for the benefit of cybercriminals.

14 साल के लड़के ने खोजा ग्रुप फेसटाइम में सिक्योरिटी बग, एप्पल और फेसबुक ने मांगी ग्राहकों से माफी pic.twitter.com/1ClpEZWQrs

— tech news (@technew84470022) February 3, 2019

How It Works

While the manner in which the malware is disseminated is not clear yet, experts believe that the trojan uses backdoors with EmPyre Powershell to establish remote access and transfer data. Once the malicious code finds its way into the system, it scans browsers cookies for the websites of popular cryptocurrency exchanges like Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, etc. and searches for resources related to “blockchain.” Once it finds what it was looking for, the Trojan shell script steals cookies from Chrome and Safari before uploading them to a remote server.

Triple Whammy

According to Palo Alto Networks, the primary aim of the malware is to gain access to users’ cryptocurrency exchange accounts. However, apart from that, CookieMiner downloads a malicious Python-Script (harmlesslittlecode.py) to extract account data, banking card numbers, and passwords saved in Chrome. If the infected computer synchronizes with iPhones via iTunes, the malware attempts to get access to SMS message backups. As a result, the malware intercepts one-time passwords to bypass two-factor authentication implemented by cryptocurrency exchanges for security purposes. With a combination of stolen account login data, web cookies, and text messages, the hackers can receive full control over victim’s cryptocurrency wallets and trading accounts. Furthermore, CookieMiner installs cryptocurrency mining malware that looks like a Monero (XMR) coin miner and runs quietly in the background to mine a lesser-known privacy coin Koto.

How to Protect Yourself

Jen Miller-Osborn, a Deputy Director of Threat Intelligence at Palo Alto Networks, recommends MacOS users be extra careful while downloading apps outside the official Apple store. Criminals tend to avoid this distribution channel, as Apple may find the malicious software during the review process. Apart from that, experts remind users of the risks of storing personal information in web browsers. It is wise to clear cookies after visiting financial accounts — including cryptocurrency wallets. Palo Alto Networks has notified Apple and Google about the potential threat. What do you think of CookieMiner? Let us know your thoughts in the comments below!