Mac Malware Steals Cryptocurrency Exchanges’ Cookies By: Yue Chen, Cong Zheng, Wenjun Hu, Zhi Xu Tags: Blockchain, Cryptocurrency, Coin Mining, Web Browser Cookies, Credit Card, Password, Wallet, SMS, Zcash Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform. This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.
It also steals saved passwords in Chrome. Finally, it seeks to steal iPhone text messages from iTunes backups on the tethered Mac. By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multifactor authentication for these sites. If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves.
The malware also configures the system to load coinmining software on the system. This software is made to look like an XMRIG-type coinminer, which is used to mine Monero. In fact, though, it loads a coinminer that mine Koto, a lesser-known cryptocurrency that is associated with Japan. Because of the way this malware attacks the cookies associated with exchanges, we have named this malware “CookieMiner”. It In the following sections, we will first briefly introduce some background knowledge, and then dig into the technical details of the malware’s behaviors.