CookieMiner is high-risk malware that targets the Mac operating system. Following successful infiltration, CookieMiner records personal data. Its main purpose is to steal credentials of various accounts (mostly those relating to cryptocurrencies). This malware also opens a ‘backdoor‘ called EmPyre and injects a crypto mining tool into the system. The malware, which researchers have dubbed CookieMiner, has a variety of weapons in its armory that could make it particularly worrisome for cryptocurrency investors.
According to security analysts Yue Chen, Cong Zheng, Wenjun Hu, and Zhi Xu, the macOS-based malware can steal browser cookies from users’ Google Chrome and Apple Safari browsers. Specifically, cookies associated with the following cryptocurrency exchanges are targeted:
- Any website with “blockchain” in its domain name (for instance, blockchain.com)
The cookies are grabbed from the infected user’s browser, zipped up and then uploaded to a remote server under the control of the criminals. CookieMiner downloads a Python script (called “harmlesslittlecode.py”) which can extract saved login credentials and credit card information from Google Chrome’s local data storage. It does so through adopting decryption and extraction techniques from the code of Google Chromium, an open-source version of the Google Chrome browser, researchers said. In addition to stealing cookies, CookieMiner had no qualms about raiding the Chrome browser to extract saved passwords and credit card details.
The malware’s capabilities include:
- Steals Google Chrome and Apple Safari browser cookies from the victim’s machine,
- Steals saved usernames and passwords in Chrome,
- Steals saved credit card credentials in Chrome,
- Steals iPhone’s text messages if backed up to Mac,
- Steals cryptocurrency wallet data and keys,
- Mines cryptocurrency on the victim’s machine, and
- Maintains control of the infected machine using the EmPyre backdoor.
Its ability to steal SMS data from iTunes backups creates the potential to bypass multi-factor authentication and impersonate the user from their own system.
For more cybersecurity information contact us at firstname.lastname@example.org