Malware can bypass multi-factor authentication to gain access to cryptocurrency wallets – and also drops mining malware on infected machines.
Mac users are being targeted with newly discovered Mac malware that aims to steal the contents of cryptocurrency wallets.
Dubbed CookieMiner by researchers because of its capability for stealing browser cookies associated with cryptocurrency exchanges and wallet service websites visited by the victim, the malware has been uncovered by Palo Alto Networks.
In addition to stealing and trading the contents of cryptocurrency wallets, CookieMiner also plants a cryptojacker onto the infected OSX machine, enabling the attackers to secretly mine for additional digital currency. In this instance, it’s Koto, a lesser-known cryptocurrency that offers users anonymity. It’s mostly used in Japan.
It’s still unknown how the newly detected malware gains access to systems, but once there, CookieMiner examines browser cookies with links to cryptocurrency exchanges and websites that reference blockchain. Exchanges targeted include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet.
Using a Shellscript, it steals Google Chrome and Apple Safari browser cookies from the victim’s machine, uploading them to a folder on a remote server. By doing this, it can extract the required login credentials and the cookies required to make it look as if the new login attempt is coming from a machine previously used by the victim — therefore preventing it from looking suspect.
“What it wants to do in combination with credentials which it’s harvested is impersonate that user from their own system,” Alex Hinchliffe, threat intelligence analyst at Palo Alto Networks’ Unit 42 research division told ZDNet. “So they use the cookies to try and get past that initial login without suspicion.”
It isn’t just the victim’s Mac that is targeted by CookieMiner — if the victim has used iTunes to sync their Mac with their iPhone, the malware can also access text messages. This potentially allows the attackers to steal login codes and other messages that they can abuse to bypass any two-factor authentication the users have applied to their cryptocurrency accounts.
Once the attackers have access to the wallets, they have all the same privileges as the user, which they can use to steal the contents of the wallet. It’s also possible that the attackers could game the system, trading large amounts of cryptocurrency in an effort to boost valuations for their own ends.
“If the adversary gets access to someone’s account on the exchange, they can buy and sell cryptocurrency. Buying and selling a lot could change the price of the cryptocurrency, in which case they can use it to profit,” said Hinchliffe.
The attack isn’t over after the adversaries are done using the wallets — they drop a cryptocurrency miner that appears to be highly active, ranking as the top miner for Koto.
Filenames associated with the wallet reference xmrig, something usually used by Monero miners, but it’s thought that the attackers have employed this with their Koto scheme in order to generate confusion.
CookieMiner also drops a script for persistence and remote control of the infected machine, allowing them to check-in on the machine and send commands — although all of this currently appears to be related to mining. It’s believed that the cyber criminal campaign is still active and researchers recommend that cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage.