A new cryptocurrency malware that steals browser cookies and swipes user cryptocurrency has just been identified. Security researchers from Palo Alto Networks’ Unit 42 have identified the new crypto malware and dubbed it “CookieMiner.”
CookieMiner targets Mac Users
According to the researchers, the malware targets Mac users and steal cookies related to their login credentials for cryptocurrency exchanges like Coinbase, Binance, MyEtherWallet, and others.
The researchers came across this malware while investigating the infamous OSX.DarthMiner which was discovered last year. Jen Miller-Osborn, deputy director of threat intelligence at Unit 42, told Hard Fork that they became interested in the malware due to its new various and extra functionalities.
The malware attempts to steal passwords saved in Chrome, and text messages stored in iTunes backups, the report added. With this information at hand, hackers could gain easy access to victim’s crypto exchange and wallet accounts and steal cryptocurrencies.
The researchers pointed out that the login details are not enough to gain access to a victim’s account if they have 2-factor authentication enabled. However, the 2FA details can also be obtained from the cookies. And, this would enable them to steal cryptocurrencies from victims. With the browser cookies, they can log in from previous verified sessions since most websites don’t ask for login authentication from previous login attempts.
Miller-Osborn mentioned that the malware attack indicates that old-school malware methods are tweaked to target cryptocurrency users. Miller-Osborn stated that “There are a lot of coinminers and other malware in the wild and targeting credentials or cookies stored in browsers is not new. Targeting all of these with an apparent focus on gaining access to cryptocurrency exchanges and trying to avoid [multi-factor authentication] protections is newer.”
Malware also mines crypto illegally
The researchers revealed that the malware serves as crypto-jacking software by installing some coin mining software on victim’s computers. This allows them to mine cryptocurrencies without the victim knowing.
As a crypto-jacking malware, it works similar to the XMRIG coin miner which usually mines Monero. However, CookieMiner is configured to mine Koto, a small-time Japanese cryptocurrency. The attacker is yet to be identified, with Miller-Osborn stating that “[t]here isn’t enough data to point to who is behind this or where they are located.”
The fact that Koto is a privacy coin could be the reason why the attacker chose it. The coin originating from Japan doesn’t mean the attacker is from that region. And, choosing the coin might be a way to distract digital forensic researchers.
The researchers concluded that users could avoid the malware and protect their cryptocurrencies. Miller-Osborn urged crypto users to avoid saving credentials or credit card information on their browsers. “They should also clear web browser caches regularly, particularly after logging into financial or other sensitive accounts. It’s quick and ensures the data is not within web browsers to steal,” she added.