Malware targets Mac users to steal cryptocurrency exchanges’ cookies

Mac malware

Image: paloaltonetworks

According to the latest analysis released by Palo Alto Networks’ Unit 42, CookieMiner malware is specifically used to steal data from various virtual currency exchanges on the Mac platform. Of course, the data stolen is mainly the user’s various key data to steal virtual currency, but whether or not the user has been stolen is still unknown. However, users of Mac computers and virtual currency transactions should be vigilant, and this attack may be able to bypass multi-factor authentication.

Image: paloaltonetworks

Unlike many malware that use a keylogger to steal account passwords, the newly discovered malware is mainly stealing user cookie data. After logging in to each virtual currency exchange, the user will keep the cookie data locally. After the hacker gets the data, he can directly log in to each exchange. That is to say, you can bypass the exchange account password login or even Google 2-step verification, etc. This kind of attack is relatively harmful to the user.

A rundown of CookieMiner’s behaviours (discussed in more detail in the following sections):

  • Steals Google Chrome and Apple Safari browser cookies from the victim’s machine
  • Steals saved usernames and passwords in Chrome
  • Steals saved credit card credentials in Chrome
  • Steals iPhone’s text messages if backed up to Mac
  • Steals cryptocurrency wallet data and keys
  • Keeps full control of the victim using the EmPyre backdoor
  • Mines cryptocurrency on the victim’s machine

This Mac-based malware will also install mining software for maximum profit, but this mining software mainly mines a virtual currency called Koto. The popularity of the virtual currency Koto is relatively low and is mainly used only in Japan, so it is not clear whether the attacker behind it is a Japanese hacker. From the scale of infection, there are not many users who were infected by this malware, but it is still necessary to remind Mac users to beware of malware attacks.