According to Palo Alto Networks’ Unit 42, a newly discovered malware which targets the Mac platform could be stealing browser cookies linked to cryptocurrency exchanges and wallet services used by its victims.
The malware has been named CookieMiner.
It can also steal saved passwords on Google Chrome browsers. The malware is believed to be developed from OSX.DarthMiner.
Comprehensive Threat for Mac Users
On top of being able to steal passwords and cookies from Chrome browsers, the malware can also steal text messages on iPhones from iTunes backups on a tethered Mac.
Unit 42 writes:
“By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites.”
If the attackers are successful when using the malware, they can gain full access to the victim’s crypto exchange accounts and can exploit messages to bypass 2-factor authentication which allows them to transfer or use the funds.
However, it does not end there.
The malware can also configure a coin-mining software to load on the system which looks like an XMRig-type crypto miner, used to mine Monero crypto coins. But, it actually mines a lesser known cryptocurrency called Koto.
Why Are Cookies so Important?
Cookies are used widely on browsers for authentication purposes which can let a server know the login status of the users.
If these cookies are stolen, the attacker can potentially gain access to a user’s account.
This is a way to bypass login anomaly detection on websites allowing bad actors to gain access to web accounts without alerts being raised.
The CookieMiner works for the attackers by stealing a combination of login credentials, web cookies and text messages which enables them to enter websites and steal the victims’ crypto holdings successfully.
This could be a more effective way of making big profits for the attackers rather than by crypto mining which steals and uses their victim’s computer resources.
Attackers may also use this malware to manipulate crypto prices with large-volume selling and buying using stolen assets which could give them additional profits.