Tech-savvy business owners should be vigilant in light of a new threat identified in the cybersecurity landscape—malware targeting Mac users, known as CookieMiner, which pilfers web browser cookies and credentials from cryptocurrency exchange accounts. This sophisticated malware, discovered by the Palo Alto Networks security research team, is specifically engineered to exploit vulnerabilities in macOS environments.
CookieMiner’s name derives from its functionality, as it effectively steals cookies associated with cryptocurrency exchanges. The malware is linked to DarthMiner, a previously identified macOS variant detected last December. CookieMiner does not just snatch user credentials; it also stealthily installs coin mining software on compromised Macs, utilizing system resources to mine less well-known cryptocurrencies, particularly Koto, which is mainly used in Japan.
The attack vector of CookieMiner is noteworthy. The malware specifically targets cookies from Google Chrome and Apple Safari, focusing on popular exchanges and wallet services, including Binance, Coinbase, and others. In addition to browser cookies, it captures saved usernames, passwords, and credit card information inside Chrome, as well as cryptocurrency wallet data and keys. Even more concerning, it can access iPhone text messages stored in iTunes backups, giving attackers a wealth of information.
Attackers may benefit from this extensive data collection by bypassing two-factor authentication mechanisms typical of many exchange platforms. If login credentials are combined with stolen authentication cookies, the risk of account compromise increases significantly. According to researchers, while no successful theft of funds has been confirmed to date, the malware’s design suggests it is capable of precipitating such breaches.
In its operational framework, CookieMiner integrates the Python-based EmPyre backdoor, allowing remote control over infected machines. It has the capability to assess whether the Little Snitch application firewall is in use and will cease operations if it detects this layer of security. The specific method by which CookieMiner is delivered to victims remains unclear, although it is suspected that users are tricked into downloading infected software.
The implications of this threat resonate strongly within the business community, particularly for organizations involved in cryptocurrency. Palo Alto Networks has alerted relevant cryptocurrency exchanges, as well as Apple and Google, underscoring the seriousness of the threat. Given that CookieMiner remains active, effective preventive measures are critical. Business owners are advised to refrain from storing sensitive information in web browsers and to be cautious when downloading applications from untrusted sources.
To further mitigate risks, clearing cookies when accessing financial accounts and closely monitoring security settings can serve as additional protective steps.
In an ever-evolving cyber threat environment, understanding techniques highlighted in the MITRE ATT&CK framework is vital for professionals. Initial access via social engineering tactics like phishing and persistence through malware remain common methods used by adversaries. Recognizing these tactics provides businesses with the necessary foresight to bolster their cybersecurity strategies.
