New 'CookieMiner' malware aims to steal cryptocurrency logins from Mac owners
Newly-discovered Mac malware is geared toward stealing browser cookies for cryptocurrency exchanges such as Coinbase and Bittrex, security researchers say.
The code is based on "OSX.DarthMiner," uncovered in late 2018, members of Palo Alto Networks' Unit 42 reported on Thursday. Some other targeted exchanges include the likes of Binance, Poloniex, Bitstamp, and MyEtherWallet.
It also attempts to steal text messages from iTunes backups, and passwords and credit cards saved in Chrome -- but not in Safari. In some cases the combination of data could even let attackers bypass two-factor authentication at cryptocurrency sites, normally a strong deterrent.
Compounding problems, the new malware -- nicknamed "CookieMiner" -- will install covert coin mining software that consumes a Mac's system resources. The app is apparently geared toward mining "Koto," a privacy-oriented Japanese cryptocurrency.
CookieMiner's creators can execute remote controls, and the code is smart enough to check if if Objective Development's Little Snitch firewall app is active, halting the remote access agent to avoid detection.
Customers of Palo Alto Networks' WildFire technology are already protected from the threat. It's not certain whether Apple has been alerted or taken action.
In the interim worried Mac users concerned about this vector of attack may want to avoid saving credentials in the Keychain and not directly in a browser, and/or scrub browser caches on a regular basis.
The code is based on "OSX.DarthMiner," uncovered in late 2018, members of Palo Alto Networks' Unit 42 reported on Thursday. Some other targeted exchanges include the likes of Binance, Poloniex, Bitstamp, and MyEtherWallet.
It also attempts to steal text messages from iTunes backups, and passwords and credit cards saved in Chrome -- but not in Safari. In some cases the combination of data could even let attackers bypass two-factor authentication at cryptocurrency sites, normally a strong deterrent.
Compounding problems, the new malware -- nicknamed "CookieMiner" -- will install covert coin mining software that consumes a Mac's system resources. The app is apparently geared toward mining "Koto," a privacy-oriented Japanese cryptocurrency.
CookieMiner's creators can execute remote controls, and the code is smart enough to check if if Objective Development's Little Snitch firewall app is active, halting the remote access agent to avoid detection.
Customers of Palo Alto Networks' WildFire technology are already protected from the threat. It's not certain whether Apple has been alerted or taken action.
In the interim worried Mac users concerned about this vector of attack may want to avoid saving credentials in the Keychain and not directly in a browser, and/or scrub browser caches on a regular basis.
Comments
Admittedly, it's overkill and it doesn't even guarantee safety, but increases the odds...
My financial planner recommends having a separate computer like you do as being the most secure. Ditto not using public WiFi. Not everyone has the resources to buy a separate computer just for financial stuff, though.
I dont go that far, but I do use a VPN and private browsing. If you’re out in public, using your phone as a hot spot is far more secure than any public hot spot.
"Researchers are not certain how victims are first infected by the shell script, but they suspect victims download a malicious program from a third-party store.
Once downloaded, the shell script copies the Safari browsers’ cookies to a folder and uploads the folder to a remote server.
The attack targets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet and any website having “blockchain” in its domain name, researchers said..."
"...if the victim has used iTunes to sync their Mac with their iPhone, the malware can also access text messages. This potentially allows the attackers to steal login codes and other messages that they can abuse to bypass any two-factor authentication the users have applied to their cryptocurrency accounts."
"But that’s not all: The malware also performs an array of malicious functions when downloaded on victims’ systems. That includes stealing username, password and credit-card credentials in Chrome..."
The AI article might not have properly explained it. Writing "but not in Safari" could leave the wrong impression, that simply avoiding Chrome solves it.
But for those who don't want to do all that -- I would at least suggest setting up 3 user accounts on their general purpose computer:
-- a passworded admin account that is only used for administering the machine
-- a regular user account for general work
-- a passworded second regular (non-admin) account for financial stuff.
That isn't as secure as a totally separate machine, but it will make the data thieves work a little harder to steal your stuff.
Also, the part about reading the iTunes backup is probably misleading. If you use iTunes backup with the encryption option turned on, they almost certainly cannot read the text messages in the backup. But, no article I've seen about this malware points that out.
That indicates three possibilities:
1) The authors (including the security researchers) don't know about that feature of doing iTunes backups, which seems pretty ignorant; or
2) They know about that feature, but didn't think it was relevant to take this opportunity to help their readers be more secure; or
3) They know about that feature, but doing anything that helps a reader protect themselves without buying some security company's software goes against the intention of all the authors/researchers involved.
Based on most online writing about malware I've seen, I'm betting on #3, although the other two possibilities also seem reasonably likely. There is just a lot of sloppiness, hand-waving, scare-mongering, and ignorance out there. It's hard to dig through the verbose garbage to pick out what a typical user needs to know about any malware threat.