CookieMiner, An Active MacOS-based Cryptojacking Malware In The Wild Exposed

The very prolific Palo Alto Networks’ Unit 42 has made a huge discovery again, as they revealed to the public another cryptocurrency mining malware. Known as CookieMiner, it is a new crypto mining virus that specifically developed to target Mac hardware. Using cookies connected with login under MyEtherWallet, an interface service supporting Ethereum. “It sparked our interest as it was a new variant with additional functionality. There are a lot of coinminers and other malware in the wild and targeting credentials or cookies stored in browsers is not new. Targeting all of these with apparent focus on gaining access to cryptocurrency exchanges and trying to avoid [multi-factor authentication] protections is newer,” explained Jen Miller-Osborn.

The malware is also known as OSX.DarthMiner, it contains instructions to steal passwords entered through a browser in anticipation that one way or another the user is transacting with cryptocurrency. If the user enters his cryptowallet password, the user credential is automatically stolen in the background and send it to the author. According to the researchers, the malicious software wants to use elaborate methods to cut multiple access points, as it also accesses chat histories in iTunes backups from iPhones. In addition, it also invisibly loads mining software for cryptocurrencies on affected computers through stealing user credentials.

This technique of stealing credentials can only be prevented if the user is savvy enough to have enabled 2-factor authentication. The chat histories, especially the SMS exchange, are necessary to find out the phone number of the victim and possibly intercept the activation code in the 2-factor authentication. Unfortunately, the virus author already anticipated such and created the malware in such a way that it steals session cookies as well.

Cookie theft affects Safari and Chrome, but the malware can steal additional data such as credit card details or even stored passwords from Chrome. Session cookies are 1-time cookies that identify a user to a system for quite a while before an automatic log-off due to inactivity occurs.

“They should also clear web browser caches regularly, particularly after logging into financial or other sensitive accounts. It’s quick and ensures the data is not within web browsers to steal,” added Miller-Osborn.

It has been discovered that CookieMiner points to Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet and any web with “blockchain” in the domain, and also uses cookies to temporarily track their users. In addition, CookieMiner also uses the EmPyre backdoor for post-exploitation control, allowing attackers to remotely take control of the Mac system.

EmPyre is a Python agent that checks if the Little Snitch application is active, in which case it stops and exits. Attackers can also configure this agent to download additional files. Although the infection route is not yet clear, it is believed that the vector is a software download with which it deceives users.

It should also be noted that there is still no evidence that the attackers have successfully stolen any funds, but they are speculating on the basis of the observed behavior. Palo Alto Networks has already contacted Google, Apple, and the targeted cryptocurrency services to warn of the problem.