Palo Alto Networks: Mac malware steals your cryptocurrency exchange cookies

Palo Alto Networks’ Unit 42 security division recently discovered malware that targets the Mac platform and enables hackers to steal browser cookies, or login credentials, associated with mainstream cryptocurrency exchanges and wallet service websites.

The malware, from OSX.DarthMiner, also steals saved passwords in Chrome, and it attempts to steal iPhone text messages from iTunes backups on the tethered Mac. The Unit 42 blog post was written by researchers Yue Chen, Cong Zheng, Wenjun Hu, and Zhi Xu. Theft of cryptocurrency wallets has been a big problem in the industry, as industry veterans like Michael Terpin can attest.

Based on similar past attacks, Unit 42 believes that leveraging the combination of stolen login credentials, web cookies, and SMS (text message) data could allow bad actors to bypass multi-factor authentication (which requires more than just entering a password to log into a site or app) for these sites.

If successful, attackers would have full access to the victim’s cryptocurrency exchange account and/or wallet and be able to use those funds as if they were the user themselves.

The malware also configures the system to load coinmining software on the system. This software is made to look like an XMRIG-type coinminer, which is used to mine the cryptocurrency Monero. In fact, it loads a coinminer that mines Koto, a lesser-known cryptocurrency associated with Japan.

Above: Unit 42’s data on the code used to steal web cookies.

Image Credit: Unit 42

Because of the way it attacks the cookies associated with exchanges, the Palo Alto Networks researchers have named this malware CookieMiner.

Web cookies are widely used for authentication. Once a user logs into a website, cookies are stored so the web server knows the individual’s login status. If the cookies are stolen, an attacker could potentially sign into the website to use the victim’s account. Stealing cookies is an important step to bypassing login anomaly detection.

If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login. But if an authentication cookie is provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods.

A cryptocurrency exchange is a place to trade cryptocurrencies for other assets, such as other digital (crypto)currencies or conventional fiat money. Most modern cryptocurrency exchanges and online wallet services have multi-factor authentication.

CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages, and web cookies. If the bad actors successfully enter the websites using the victim’s identity, they can perform fund withdrawals. This may be a more efficient way to generate profits than outright cryptocurrency mining. Furthermore, attackers could manipulate the cryptocurrency prices with large-volume buying and/or selling of stolen assets, resulting in additional profits.

Here’s a rundown of CookieMiner’s behaviors:

• Steals Google Chrome and Apple Safari browser cookies from the victim’s machine
• Steals saved usernames and passwords in Chrome
• Steals saved credit card credentials in Chrome
• Steals iPhone’s text messages if backed up to Mac
• Steals cryptocurrency wallet data and keys
• Keeps full control of the victim using the EmPyre backdoor
• Mines cryptocurrency on the victim’s machine

The researchers concluded that cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage.

Customers of Palo Alto Networks are protected by WildFire, which is able to automatically detect the malware. AutoFocus users can track this activity by using the StealCookie tag.