Unit 42 of Palo Alto Networks, a cybersecurity company, has uncovered malware that might have been created from OSX.DarthMiner. OSX.DarthMiner is a malware that deals only with Apple’s Mac platform.
This malware is so efficient that it can snatch cookies associated with digital currency exchanges and wallets on any user’s PC it is installed in. It can also steal passwords on the Google Chrome browser. The malware also tries to steal iPhone text messages.
How the Malware Works
If the creators of the malware get all this information, there will be nothing stopping them on their way to overrun the 2-factor authentication security system on most exchanges and wallets. In the event of a successful hack of the user’s crypto exchange or wallet login details, full access would be gained to the wallet and funds could be transferred from those wallets to the perpetrators’ addresses.
Another malicious feature of this malware is that those behind the Mac-targeted virus load a miner onto the victim’s system. The miner is camouflaged to look like a miner for Monero. It, however, actually mines Koto, a coin with its company based in Japan.
The malware has been named ‘CookieMiner’ by Palo Alto’s Unit 42 team, particularly because of its concentration on digital currency exchanges. Some of what the malware does on victims’ Mac computers is to snatch cookies from both Google Chrome and Safari browser on the PC. It also steals usernames and security passcodes already saved on Chrome, credit card details in Chrome, backed up iPhone text messages to a Mac, crypto wallet data and private keys, gains full control of the Mac using the EmPyre backdoor and mines crypto on the victim’s Mac.
It attacks cryptocurrency exchanges like Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having “blockchain” in its domain name like Blockchain.info, a commonly used cryptocurrency wallet. CookieMiner targets both Safari and Chrome because Safari is Mac’s traditional browser and Chrome is the most used browser by all users of operating systems. In order to steal credit card information (which could probably be on sale on Darkweb onion sites), it downloads a Python script titled “harmlesslittlecode.py” to siphon the user’s credit card information.
To facilitate the mining of the Koto cryptocurrency on Mac PCs, the malware has commands to mine on the victim’s Mac consistently. Koto is a Zcash-based cryptocurrency and doesn’t particularly need a GPU for efficient mining. Most cryptocurrencies need GPUs for great mining power, but Koto makes use of CPU miners. Most Macs don’t use GPUs, so they’re perfect for the malware. The filename ‘xmrrig2’ is used to make it seem like Monero mining is going on in the victim’s PC, but it is mining the Koto cryptocurrency.
The malware can also allow the remote controlling of the victim’sMac using a base64-encoded Python script. EmPyre is also used by the attackers to facilitate control. Palo Alto’s Unit 42 then came to the assumption that the malware is used for data theft, illegal mining and monetary profit for the hackers.