This article was published on January 31, 2019

New macOS malware steals your cookies to swipe your cryptocurrency

I never liked the Cookie Monster

New macOS malware steals your cookies to swipe your cryptocurrency
Matthew Beedham
Story by

Matthew Beedham

Editor, SHIFT by TNW

Matthew is the editor of SHIFT. He likes electric cars, and other things with wheels, wings, or hulls. Matthew is the editor of SHIFT. He likes electric cars, and other things with wheels, wings, or hulls.

Update 08:12 UTC, February 1: Original reporting placed MyEtherWallet alongside the affected cryptocurrency exchange services. MyEtherWallet is not a true exchange, it is an interface service for the Ethereum blockchain. MyEtherWallet contacted Hard Fork to clarify that it doesn’t use cookies so won’t be affected by CookieMiner in that sense, however, if you save your passwords in Chrome you may still be vulnerable.

Security researchers from Palo Alto Networks’ Unit 42 have identified a new cryptocurrency stealing malware. What has been dubbed as “CookieMiner,” specifically targets Mac users and the cookies related to their logon credentials for cryptocurrency exchanges like Coinbase, Binance, Poloniex, Bittrex, Bitstamp, and Ethereum blockchain service, MyEtherWallet.

There be gold in them cookies

The new malware was uncovered after examining the infamous OSX.DarthMiner which surfaced late last year.

“It sparked our interest as it was a new variant with additional functionality,” Jen Miller-Osborn, deputy director of threat intelligence at Unit 42, told Hard Fork.

It also attempts to steal passwords saved in Chrome, and text messages stored in iTunes backups. When all this information is in the hands of attackers, it’s quite easy for them to steal cryptocurrency from the victim’s exchange accounts.

Having a person’s login credentials usually isn’t enough to gain access to their account if they have 2FA enabled. However, if the hacker has their authentication cookies too, they can use these to make the login attempt appear as if it’s connected to a previously verified session. If so, the website won’t ask for the login attempt to be authenticated.

According to Miller-Osborn, this attack is indicative of old-school malware methods being tweaked for success in the cryptocurrency space.

“There are a lot of coinminers and other malware in the wild and targeting credentials or cookies stored in browsers is not new,” Miller-Osborn added. “Targeting all of these with apparent focus on gaining access to cryptocurrency exchanges and trying to avoid [multi-factor authentication] protections is newer.”

Sneaky sneaky

That’s not all. The malware also installs some coin mining software that uses the victim’s system to mine cryptocurrency without them knowing.

The crypto-jacking software, on the surface, takes a similar form to the XMRIG coin miner which usually mines Monero. But in this case, the miner is configured to mine Koto, a small-time Japanese cryptocurrency. Although Miller-Osborn clarified, “[t]here isn’t enough data to point to who is behind this or where they are located.”

Perhaps Koto was chosen as it’s a privacy coin and can be used to cover the attacker’s tracks. The fact it has ties with Japan might just be something else to try to throw digital forensic researchers off the trail.

Having your cryptocurrency stolen because of some purloined cookies can be avoided.

Miller-Osborn urges people to avoid ever saving credentials or credit card information within their browsers, as it’s a common attack vector for malware like this.

“They should also clear web browser caches regularly, particularly after logging into financial or other sensitive accounts. It’s quick and ensures the data is not within web browsers to steal,” she advised.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with