Office

Cookieminer detected, new malware for mac%%

Table of contents:

Anonim

The research team at Unit 42 at Palo Alto Networks has discovered a new Mac malware. Designed to steal browser cookies and credentials, this would be an attempt to withdraw funds from cryptocurrency exchange accounts.

CookieMiner: A new malware for Mac

Called CookieMiner for its ability to steal cookies related to cryptocurrency exchanges, the malware has been specifically designed to target Mac users. Researchers believe it has been based on DarthMiner, another Mac malware detected in December 2018.

Additional dangers

CookieMiner also secretly installs coin mining software, to get infected Macs to provide additional cryptocurrencies. In the case of CookieMiner, it is apparently designed to mine " Koto ". This is a lesser-known and security-oriented cryptocurrency mainly used in Japan.

Even so, the most interesting capabilities of the new malware is to steal:

  • Cookies from Chrome and Safari browsers associated with the most popular web services for exchanges and cryptocurrency wallets. Usernames, passwords and credit card information saved in the Chrome browser. Data and keys of cryptocurrency portfolios. Backup copies of the victim's iPhone SMS to iTunes.

CookieMiner has been found to target Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet and any website with 'blockchain' in the domain, and to also use cookies to temporarily track its users.

How you gain access

Using the combination of stolen credentials, web cookies and SMS it would be possible for an attacker to skip even 2-step authentications.

It should also be noted that there is still no evidence that attackers have successfully stolen any funds, but they are speculating based on observed behavior.

Risks and precautions

Furthermore, CookieMiner also uses the EmPyre backdoor for post-exploitation control, allowing attackers to remotely take control of the Mac system.

EmPyre is a Python agent that checks if the Little Snitch application is active, in which case it stops and exits. Attackers can also configure this agent to download additional files.

Although the infection route is not yet clear, it is believed that the vector is a software download that deceives users.

Palo Alto Networks has already contacted Google, Apple, and the target crypto services to report the problem.

recommendations

Since the campaign is believed to be still active, the best way to prevent it is to avoid saving your credentials or credit card information within web applications. And of course, don't download third-party apps.

In addition, we recommend clearing cookies when you visit financial or banking services and keeping an eye on your security settings. Via The Hacker News Source Unit 42 MalwareBytes lab

Office

Editor's choice

Back to top button