According to Palo Alto Networks’ Unit 42, a multinational cybersecurity company, a new insidious malware strain, given the name “CookieMiner”, is targeting Mac users in order to compromise their cryptocurrency accounts. The firm noted that:
The attack targets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having ‘blockchain’ in its domain name such as www.blockchain[.]com.
If it cannot find any useful information, then it enlists the computer to support the criminal’s ongoing mining operation.
During their analysis, the Unit 42 researchers made note of these capabilities:
- “Steals Google Chrome and Apple Safari browser cookies from the victim’s machine;
- Steals saved usernames and passwords in Chrome;
- Steals saved credit card credentials in Chrome;
- Steals iPhone’s text messages if backed up to Mac;
- Steals cryptocurrency wallet data and keys;
- Mines cryptocurrency on the victim’s machine;
- Not the first time Mac malware targets cryptocurrency;
- Keeps full control of the victim using the EmPyre backdoor.”
The last item borders on sounding too technical, but in the interest of informing, here is a bit of explanation from a security expert about strains that make use of this “backdoor”:
They all make use of the EmPyre backdoor for remote control and persistence purposes, a backdoor known to provide “cryptologically-secure communications and a flexible architecture” and to push arbitrary commands to the infected Macs post-exploitation according to Malwarebytes.
The latter firm is an Internet security company, based out of Santa Clara, California.
Another nasty characteristic of this software is that it can circumvent on occasion the very multi-factor authorization systems used by most crypto exchanges and wallet services to prevent compromises. It attempts to gather a combination of login credentials, text messages, and web cookies, and then uses that information in a complex fashion to thwart existing access regimens.
CookieMiner is not the first malware to attack Mac devices. The infamous Lazarus Group, a syndicate supported by the North Korean government and known for its hack of Sony, recently released a form of Mac malware that allowed it to breach the operating system of an Asian cryptocurrency exchange. There are also others cases where Mac users have been duped to enter commands that would immediately hand over control of their devices to criminal servers in the background.
In its report, the Palo Alto firm summarized its findings on CookieMiner:
If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves. Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage.