A new malware threat that steals cryptocurrency on Macs and then uses their resources to mine for more has been identified by security research firm Palo Alto Networks. The threat, which has been named CookieMiner, intercepts browser cookies set by popular cryptocurrency exchanges and wallets, and can also steal passwords stored by Google Chrome. It can even go through iPhone backup files saved on a Mac and scan through a user’s text messages. Unit 42, the threat intelligence division of Palo Alto Networks which discovered the threat, believes that this could help the malware authors bypass a user’s two-factor security protections.
CookieMiner is believed to be based on a known malware called OSX.DarthMiner, which was documented by MalwareBytes in December 2018. Attackers who gain access to a user’s Chrome passwords, cookies and text messages could simply log in to their victims’ cryptocurrency wallets or exchanges and transfer all the money to themselves.
Browser cookies can potentially be used to trick a Web service into thinking it is being accessed from a previously trusted device, in theory reducing the likelihood that a second authentication factor will be asked for.
To add insult to injury, the CookieMiner malware also starts mining new cryptocurrency for the attackers using the resources of infected Macs. According to Unit 42’s blog post detailing the threat, the miner tries generating a niche privacy-focused cryptocurrency called Koto that is used in Japan. Interestingly, Unit 42’s research suggests that the malware authors tried to cover up this fact and appear as though they want to mine the more popular Monero cryptocurrency.
While CookieMiner can steal passwords (and saved credit card information) only from Google Chrome, it can also access cookies stored by Apple’s Safari browser. It drops a backdoor known as EmPyre on infected Macs to allow the attackers to maintain control remotely. When mining the Koto cryptocurrency, it uses an algorithm targeted more at a computer’s CPU than its GPU, as relatively few infected Macs are likely to have powerful discrete GPUs.
The blog post disclosing this discovery does not point to where or how the CookieMiner malware might have originated, how widespread it is, or how it infects new Macs. Anyone dealing with cryptocurrency or other sensitive financial information should take precautions such as not relying on automatic password vaults and running periodic malware checks.