Researchers have discovered a new malware used to steal saved passwords and credit card details from browsers. In addition, it can pilfer iPhone text messages from iTunes backups. Above all, it steals cryptocurrency exchange cookies from the browser, because of the aforementioned it has received the name “CookieMiner”. Researchers believe that its devastating traits will empower an attacker to bypass multi factor authentication.
CookieMiner Malware Is Geared Up To Trouble Mac Users
Researchers at Palo Alto Networks have discovered new malware that particularly targets Mac users. The malware, which they named CookieMiner, primarily targets browser cookies associated with cryptocurrency exchanges and wallet services. Moreover, it also steals other sensitive information saved with browsers like Chrome and Apple Safari including saved credentials and credit card details.
The malware uses various scripts for the malicious purposes listed below. Moreover, to retain a robust remote connection to the victim’s machine, the malware also downloads a base64-encoded Python script, EmPyre. As described by the researchers in their report,
“EmPyre is a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture.”
This script downloaded from hxxps://ptpb[.]pw/OAZG enables the attacker to send remote commands. It also scans the device for the presence of firewall app Little Snitch – if detected, the malware will “stop and exit”.
Threatening Crypto Owners And Cryptojacking
As revealed, the malware begins its attack with a shell script to steal browser cookies. Specifically, it copies cookies from the browser to a folder on a remote server (46.226.108[.]171:8000). It then targets the cookies associated with popular cryptocurrency exchanges such as Binance, MyEtherWallet, Bittrex, Poloniex, Coinbase, and Bitstamp. It also scans for domains having the word “blockchain” to target those websites.
In addition to stealing cookies, the malware simultaneously installs a cryptominer on the victim’s device that seamlessly works with CPUs (instead of GPUs). The aim is to mine Koto – a Zcash-based anonymous cryptocurrency.
Stealing Payment Information From The Browser
CookieMiner not only targets crypto websites’ cookies, but also steals other information. As explained by the researchers,
“CookieMiner downloads a Python script named “harmlesslittlecode.py” to extract saved login credentials and credit card information from Chrome’s local data storage. CookieMiner adopts techniques from the Google Chromium project’s code for its decryption and extraction operations and abuses them.”
The malware copies all wallet-related file paths to the remote server which may also let it steal wallets’ private keys. Through the same route, it may also allow the attackers to extract users’ iPhone text messages backed-up on iTunes.
Multi-Factor Authentication Bypass
The researchers fear that the ability to steal cookies would let CookieMiner bypass multi-factor authentication. Cookies usually help websites in login authentication. If an attacker merely steals login credentials, the websites may alert users about anomalous login attempts. If the user employs multi-factor authentication, the website may also ask for login authentication. But, if the attacker possesses cookies, it becomes easy to ditch a website.
“If an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods.”
Since most crypto exchanges employ multi-factor authentication, this malware would help the attackers gain access to users’ accounts, withdraw funds, or manipulate cryptocurrency rates.
What Should You Do?
Since the mode of entry for CookieMiner isn’t specified, it may not be easy to prevent this malware from infecting a device at once. For now, the researchers advise all cryptocurrency owners to vigilantly monitor their digital assets.
“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage.”
Take your time to comment on this article.