New macOS malware steals your cookies to swipe your cryptocurrency

Security researchers from Palo Alto Networks’ Unit 42 have identified a new cryptocurrency stealing malware. What has been dubbed as “CookieMiner,” specifically targets Mac users and the cookies related to their logon credentials for cryptocurrency exchanges like Coinbase, Binance, Poloniex, Bittrex, Bitstamp, and MyEtherWallet.

There be gold in them cookies

The new malware was uncovered after examining the infamous OSX.DarthMiner which surfaced late last year.

“It sparked our interest as it was a new variant with additional functionality,” Jen Miller-Osborn, deputy director of threat intelligence at Unit 42, told Hard Fork.

It also attempts to steal passwords saved in Chrome, and text messages stored in iTunes backups. When all this information is in the hands of attackers, it’s quite easy for them to steal cryptocurrency from the victim’s exchange accounts.

Having a person’s login credentials usually isn’t enough to gain access to their account if they have 2FA enabled. However, if the hacker has their authentication cookies too, they can use these to make the login attempt appear as if it’s connected to a previously verified session. If so, the website won’t ask for the login attempt to be authenticated.

According to Miller-Osborn, this attack is indicative of old-school malware methods being tweaked for success in the cryptocurrency space.

“There are a lot of coinminers and other malware in the wild and targeting credentials or cookies stored in browsers is not new,” Miller-Osborn added. “Targeting all of these with apparent focus on gaining access to cryptocurrency exchanges and trying to avoid [multi-factor authentication] protections is newer.”

Sneaky sneaky

That’s not all. The malware also installs some coin mining software that uses the victim’s system to mine cryptocurrency without them knowing.

The crypto-jacking software, on the surface, takes a similar form to the XMRIG coin miner which usually mines Monero. But in this case, the miner is configured to mine Koto, a small-time Japanese cryptocurrency. Although Miller-Osborn clarified, “[t]here isn’t enough data to point to who is behind this or where they are located.”

Perhaps Koto was chosen as it’s a privacy coin and can be used to cover the attacker’s tracks. The fact it has ties with Japan might just be something else to try to throw digital forensic researchers off the trail.

Having your cryptocurrency stolen because of some purloined cookies can be avoided.

Miller-Osborn urges people to avoid ever saving credentials or credit card information within their browsers, as it’s a common attack vector for malware like this.

“They should also clear web browser caches regularly, particularly after logging into financial or other sensitive accounts. It’s quick and ensures the data is not within web browsers to steal,” she advised.

Published January 31, 2019 — 14:00 UTC

Read More

Did you like this?
Tip Cryptos UK with Cryptocurrency

Donate Bitcoin to Cryptos UK

Scan to Donate Bitcoin to Cryptos UK
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to Cryptos UK

Scan to Donate Bitcoin Cash to Cryptos UK
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to Cryptos UK

Scan to Donate Ethereum to Cryptos UK
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to Cryptos UK

Scan to Donate Litecoin to Cryptos UK
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to Cryptos UK

Scan to Donate Monero to Cryptos UK
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to Cryptos UK

Scan to Donate ZCash to Cryptos UK
Scan the QR code or copy the address below into your wallet to send some ZCash:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.