Mac and Chrome info stealer and cryptomining malware in the wild

Cybercriminals are using a new malware targeting Macs and the Chrome browser designed to steal all the information necessary to break into cryptocurrency exchanges and their victim’s digital wallets.

This malware, an offshoot of OSX.DarthMiner, has a wide range of abilities, reported Palo Alto’s Unit 42. These skills include the ability to steal browser cookies associated with currency exchanges and digital wallet services, passwords, usernames and credit card information saved in Chrome and iPhone text messages from iTunes backups on the tethered Mac.

“By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites,” the Unit 42 report said, adding much of this is accomplished by abusing the legitimate extraction and decryption capabilities built into Chrome by the Google Chromium project.

If all of these pieces come together the attacker should have the ability to access the target’s exchange and wallet enabling them to fully access each.

The malware then follows the in for a penny in for a pound reasoning and installs cryptomining software onto the victim’s device. The mining malware, rather oddly, looks like a run of the mill version of XMRig that will mine Monero, but in fact is a coinminer that creates Japanese-centric Koto cryptocurrency. And for fun it installs the EmPyre backdoor to maintain persistence.

“The CookieMiner attack begins with a shell script targeting MacOS. It copies the Safari browser’s cookies to a folder, and uploads it to a remote server (46.226.108[.]171:8000). The server hosts the service “curldrop” (https://github[.]com/kennell/curldrop), which allows users to upload files with curl,” the report said.

The stolen information is uploaded upon command to the command and control server.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.