CookieMiner Mac Malware steals browser cookies and sensitive Data

Palo Alto Networks discovered a piece of Mac malware dubbed CookieMiner that is targeting browser cookies associated with cryptocurrency exchanges and wallet service websites..

Researchers from Palo Alto Networks discovered a new piece of Mac malware dubbed CookieMiner that steals browser cookies associated with cryptocurrency exchanges and wallet service websites along with other sensitive data.

The malware targets cookies associated with cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. It would steal cookies aby website that has “blockchain” in their domain name.
CookieMiner leverages a Python script named “harmlesslittlecode.py.” to steal saved login credentials and credit card information from Chrome.

CookieMiner is based in the OSX.DarthMiner malware that was discovered by experts at Malwarebytes in December, it is able to steal browser cookies from Chrome and Safari browsers and also sensitive data such as user credentials, in Chrome, saved credit card credentials in Chrome, iPhone text messages from backups and cryptocurrency wallet data and keys.

“This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.” reads the analysis published by PaloAlto Networks.

“It also steals saved passwords in Chrome. By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. “

Crooks aim to empty the victim’s exchange account or wallet by using a combination of stolen login credentials, web cookies, and SMS data.

Experts believe the threat actors could bypass multifactor authentication for the sites for which they are able to steal associated info.

CookieMiner configures the compromised systems to load coinmining software that appears like an XMRIG-type miner, but that mines Koto, a lesser popular cryptocurrency associated with Japan.

Like DarthMiner, the malware leverages on the EmPyre backdoor as a post-exploitation agent, it checks if the Little Snitch firewall is running on the target host and aborts installation if it does.

“The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.” Palo Alto Networks concludes.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,”

Further details, including IoCs, are reported in the analysis published by PaloAlto networks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CookieMiner, cryptocurrency malware)

[adrotate banner=”5″] [adrotate banner=”13″]