New 'CookieMiner' malware aims to steal cryptocurrency logins from Mac owners

Posted:
in macOS
Newly-discovered Mac malware is geared toward stealing browser cookies for cryptocurrency exchanges such as Coinbase and Bittrex, security researchers say.

Coinbase on iPhone


The code is based on "OSX.DarthMiner," uncovered in late 2018, members of Palo Alto Networks' Unit 42 reported on Thursday. Some other targeted exchanges include the likes of Binance, Poloniex, Bitstamp, and MyEtherWallet.

It also attempts to steal text messages from iTunes backups, and passwords and credit cards saved in Chrome -- but not in Safari. In some cases the combination of data could even let attackers bypass two-factor authentication at cryptocurrency sites, normally a strong deterrent.

Compounding problems, the new malware -- nicknamed "CookieMiner" -- will install covert coin mining software that consumes a Mac's system resources. The app is apparently geared toward mining "Koto," a privacy-oriented Japanese cryptocurrency.

CookieMiner's creators can execute remote controls, and the code is smart enough to check if if Objective Development's Little Snitch firewall app is active, halting the remote access agent to avoid detection.

Customers of Palo Alto Networks' WildFire technology are already protected from the threat. It's not certain whether Apple has been alerted or taken action.

In the interim worried Mac users concerned about this vector of attack may want to avoid saving credentials in the Keychain and not directly in a browser, and/or scrub browser caches on a regular basis.

Comments

  • Reply 1 of 9
    It also attempts to steal text messages from iTunes backups, and passwords and credit cards saved in Chrome —but not in Safari. In some cases the combination of data could even let attackers bypass two-factor authentication at cryptocurrency sites, normally a strong deterrent.

    So this is a Chrome issue then? Not mac OS?
    watto_cobra
  • Reply 2 of 9
    Little iSnitch is quite interesting.
    watto_cobra
  • Reply 3 of 9
    I know this is trivial but that headline image of an iPhone leading into a macOS article seems wrong to me. 
    GeorgeBMacbackstabmacseekerwatto_cobra
  • Reply 4 of 9
    GeorgeBMacGeorgeBMac Posts: 5,314member
    This is why I maintain a completely separate financial computer that ONLY does finances and ONLY accesses known financial sites that I do business with.   In addition to using InPrivate browsing I delete all cookies after each use and never store IDs or passwords on the machine.  It also uses ethernet instead of WiFi to avoid the chance of a random Google mapping car scooping up my WiFi data.

    Admittedly, it's overkill and it doesn't even guarantee safety, but increases the odds...
    watto_cobra
  • Reply 5 of 9
    Jeeze! That sounds nasty.
  • Reply 6 of 9
    MplsPMplsP Posts: 1,739member
    Pretty smart way to steal money.   since cryptocurrency is designed to be untraceable, the theft should be, too.

    This is why I maintain a completely separate financial computer that ONLY does finances and ONLY accesses known financial sites that I do business with.   In addition to using InPrivate browsing I delete all cookies after each use and never store IDs or passwords on the machine.  It also uses ethernet instead of WiFi to avoid the chance of a random Google mapping car scooping up my WiFi data.

    Admittedly, it's overkill and it doesn't even guarantee safety, but increases the odds...

    My financial planner recommends having a separate computer like you do as being the most secure. Ditto not using public WiFi. Not everyone has the resources to buy a separate computer just for financial stuff, though. 

    I dont go that far, but I do use a VPN and private browsing. If you’re out in public, using your phone as a hot spot is far more secure than any public hot spot. 
    GeorgeBMac
  • Reply 7 of 9
    gatorguygatorguy Posts: 21,305member
    jmey267 said:
    It also attempts to steal text messages from iTunes backups, and passwords and credit cards saved in Chrome —but not in Safari. In some cases the combination of data could even let attackers bypass two-factor authentication at cryptocurrency sites, normally a strong deterrent.

    So this is a Chrome issue then? Not mac OS?

    "Researchers are not certain how victims are first infected by the shell script, but they suspect victims download a malicious program from a third-party store.

    Once downloaded, the shell script copies the Safari browsers’ cookies to a folder and uploads the folder to a remote server.

    The attack targets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet and any website having “blockchain” in its domain name, researchers said..."

    "...if the victim has used iTunes to sync their Mac with their iPhone, the malware can also access text messages. This potentially allows the attackers to steal login codes and other messages that they can abuse to bypass any two-factor authentication the users have applied to their cryptocurrency accounts."

    "But that’s not all: The malware also performs an array of malicious functions when downloaded on victims’ systems. That includes stealing username, password and credit-card credentials in Chrome..."

    The AI article might not have properly explained it. Writing "but not in Safari" could leave the wrong impression, that simply avoiding Chrome solves it. 

    edited January 31 GeorgeBMac
  • Reply 8 of 9
    GeorgeBMacGeorgeBMac Posts: 5,314member
    MplsP said:
    Pretty smart way to steal money.   since cryptocurrency is designed to be untraceable, the theft should be, too.

    This is why I maintain a completely separate financial computer that ONLY does finances and ONLY accesses known financial sites that I do business with.   In addition to using InPrivate browsing I delete all cookies after each use and never store IDs or passwords on the machine.  It also uses ethernet instead of WiFi to avoid the chance of a random Google mapping car scooping up my WiFi data.

    Admittedly, it's overkill and it doesn't even guarantee safety, but increases the odds...

    My financial planner recommends having a separate computer like you do as being the most secure. Ditto not using public WiFi. Not everyone has the resources to buy a separate computer just for financial stuff, though. 

    I dont go that far, but I do use a VPN and private browsing. If you’re out in public, using your phone as a hot spot is far more secure than any public hot spot. 
    I bought it used about 5-6 years ago for about $150.   I added a battery, 2nd (backup) harddrive and some memory to it -- all for about another $150.  So,it's not too bad cost wise.   But then I enjoy playing with computers -- so it was as much a hobby as an investment.  (At this point it's about 12 years old but still runs like a champ.  I keep getting the itch to upgrade -- but, since a new one won't do any better than this one, I just cant justify it.)

    But for those who don't want to do all that -- I would at least suggest setting up 3 user accounts on their general purpose computer:  
    -- a passworded admin account that is only used for administering the machine
    -- a regular user account for general work
    -- a passworded second regular (non-admin) account for financial stuff.

    That isn't as secure as a totally separate machine, but it will make the data thieves work a little harder to steal your stuff.
    baconstang
  • Reply 9 of 9
    "...if the victim has used iTunes to sync their Mac with their iPhone, the malware can also access text messages. This potentially allows the attackers to steal login codes and other messages that they can abuse to bypass any two-factor authentication the users have applied to their cryptocurrency accounts."

    Also, the part about reading the iTunes backup is probably misleading. If you use iTunes backup with the encryption option turned on, they almost certainly cannot read the text messages in the backup. But, no article I've seen about this malware points that out. 

    That indicates three possibilities: 

    1) The authors (including the security researchers) don't know about that feature of doing iTunes backups, which seems pretty ignorant; or 

    2) They know about that feature, but didn't think it was relevant to take this opportunity to help their readers be more secure; or 

    3) They know about that feature, but doing anything that helps a reader protect themselves without buying some security company's software goes against the intention of all the authors/researchers involved. 

    Based on most online writing about malware I've seen, I'm betting on #3, although the other two possibilities also seem reasonably likely. There is just a lot of sloppiness, hand-waving, scare-mongering, and ignorance out there. It's hard to dig through the verbose garbage to pick out what a typical user needs to know about any malware threat. 

Sign In or Register to comment.