New Mac malware Cookieminer is capable of stealing crypto wallet data

The new Mac threat can steal cookies related to cryptocurrency wallets and then drop crypto-miner on the system to maximize profits

Cookieminer is a the new strain of Mac malware that is capable of stealing crypto-wallet information and silently mine crypto

Security researchers at Palo Alto Networks Unit 42 published a report^[1] about the newly-discovered cyberthreat designed for Mac^[2] operating systems. The virus, dubbed Cookieminer, possesses a wide range of capabilities, including all kind of data theft, as well as a secret implementation of a crypto-mining malware on the system to maximize profits.

The threat received its name mainly due to its primary goal – stealing web browsing cookies related to cryptocurrency wallets. The secondary objective of Cookieminer is to gain extra funds by abusing victims' computers resources to mine Koto – a cryptocurrency mostly popular in Japan.

Due to the sophisticated operation of malware and its ability to combine a variety of credentials, SMS contents, and web cookies, it is entirely possible that bad actors could easily bypass two-factor authentication security measure:^[1]

Stealing cookies is an important step to bypass login anomaly detection. If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login. However, <…> the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods.

Because of this, users who do possess crypto wallet could suffer massive financial losses – it makes Cookieminer especially dangerous.

Researchers also believe that the virus originated from OSX.DarthMiner^[3] – Mac malware that integrates EmPyre backdoor and the renowned XMRig miner.

Cookieminer steals a variety of sensitive information for its operation

It is yet unknown how the threat is being propagated, although it is believed that the malicious shell script is delivered with the help of applications on third-party websites. Once installed, it surveys Safari's browser cookies that are related to cryptocurrency exchange sites, including MyEtherWallet, Bittrex, Poloniex, Binance, Coinbase, Bitstamp or other websites that are associated with blockchain.

Additionally, Cookieminer also targets Google Chrome, although this time it seeks to harvest different kind of data – login details and credit card information. It uses a Python script named harmlesslittlecode.py as well as weaknesses of Chromium open-source project by Google Chrome. Malware targets main financial service issuers, including Visa, American Express, Mastercard, and Discover.

Additionally, malware can also obtain the data from iPhone backups that are transferred to Mac via iTunes, as well as iPhone SMS messages. All this information, together with usernames, passwords, keys for cryptocurrency wallets and visited URL's is then sent to a Command & Control server that is in hackers' control.

Cryptojacking is another feature utilized by cybercriminals

As a final step in its operation, Cookieminer performs a series of changes to the compromised machine to set up a cryptominer. It deploys an executable “XMRig2” which is present while the mining is taking place. The miner mostly abuses CPU (which is ideal for malicious actors, as not all victims are guaranteed to have a decent GPU installed), as “Yescrypt” algorithm is not designed to mine by using video cards.

XMRig2, however, is used by miners that harvest Monero. Therefore, experts believe that the name was applied to intentionally cause confusion, as the script mines Koto instead – Zcash-based anonymous digital currency.

Persistence of threat and means of protection

The Command & Control Server is not only used as a bucket for the hijacked information. Hackers also launch another Python-based script to use EmPyre backdoor.^[4] It allows cybercriminals to send commands to the compromised machines at any time post-exploitation. Additionally, Cookieminer checks if Little Snitch, a host-based application firewall for macOS, is present on the system. If so, it will not enter the system and leave immediately.

Cookieminer is a sophisticated threat that can result not only in financial losses but also compromise one's identity, as credentials used can reveal names of victims. Additionally, Mac users should stop thinking that they do not need protection from viruses – hackers know that macOS is also being widely used (Windows prevalence explains the lesser number of Mac viruses), and will create tools to benefit in one way or another.^[5]

Therefore, to protect yourself from unwanted consequences, stay away from dubious websites and employ a reputable security application with real-time protection feature that could block the entering threats.