A brand-new malware has made its way to MacOS systems — collecting users’ credentials and forcing their devices to mine coins for the benefit of the hackers.

The MacOS immunity to malware is a myth that has been already busted on numerous occasions.

Now, cybersecurity experts from Palo Alto Networks have discovered another specimen of a malicious bug — based on OSX.DarthMiner.

This bug makes its way to the much-vaunted Apple operating system to steal cookie data from cryptocurrency exchanges and other sensitive information — like saved passwords and credit cards numbers — for the benefit of cybercriminals.

How It Works

While the manner in which the malware is disseminated is not clear yet, experts believe that the trojan uses backdoors with EmPyre Powershell to establish remote access and transfer data.

Once the malicious code finds its way into the system, it scans browsers cookies for the websites of popular cryptocurrency exchanges like Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, etc. and searches for resources related to “blockchain.”

Once it finds what it was looking for, the Trojan shell script steals cookies from Chrome and Safari before uploading them to a remote server.

Triple Whammy

According to Palo Alto Networks, the primary aim of the malware is to gain access to users’ cryptocurrency exchange accounts. However, apart from that, CookieMiner downloads a malicious Python-Script (harmlesslittlecode.py) to extract account data, banking card numbers, and passwords saved in Chrome.

If the infected computer synchronizes with iPhones via iTunes, the malware attempts to get access to SMS message backups. As a result, the malware intercepts one-time passwords to bypass two-factor authentication implemented by cryptocurrency exchanges for security purposes.

With a combination of stolen account login data, web cookies, and text messages, the hackers can receive full control over victim’s cryptocurrency wallets and trading accounts.

Furthermore, CookieMiner installs cryptocurrency mining malware that looks like a Monero (XMR) coin miner and runs quietly in the background to mine a lesser-known privacy coin Koto.

How to Protect Yourself

Jen Miller-Osborn, a Deputy Director of Threat Intelligence at Palo Alto Networks, recommends MacOS users be extra careful while downloading apps outside the official Apple store. Criminals tend to avoid this distribution channel, as Apple may find the malicious software during the review process.

Apart from that, experts remind users of the risks of storing personal information in web browsers. It is wise to clear cookies after visiting financial accounts — including cryptocurrency wallets.

Palo Alto Networks has notified Apple and Google about the potential threat.

What do you think of CookieMiner? Let us know your thoughts in the comments below!

Татьяна Чепкова

Financial translator, financial market observer, analyst and an editor with vast work experience in financial and cryptocurrency media outlets in Russia and abroad. For over ten years worked as a financial translator and content creator for Russian and international financial companies and media outlets, including Profinance Service, Saxo Bank, and Finance Magnates. Writing about cryptocurrency and blockchain industry on a daily basis since 2017. Love to stay on top of things and have a personal opinion about everything, but always try to follow the principles of objective reporting.

Follow Author

Want to know more?

Join our Telegram Group and get trading signals, a free trading course and daily communication with crypto fans!

This site uses cookies.
Click here to accept the use of these cookies. View our cookie policy

We are discussing it in our Telegram Channel


We are discussing it in our Telegram Channel