A newly discovered Mac malware will attempt to steal your cryptocurrency — and if it can’t, it’ll hijack your computer to mine more.
The malware in question, dubbed CookieMiner, appears to be sophisticated and highly targeted. It was first discovered by researchers at cybersecurity firm Palo Alto Networks (via TheNextWeb).
CookieMiner specifically targets Mac users and its primary purpose appears to be the theft of login credentials for cryptocurrency exchanges such as Coinbase, Binance, Poloniex, Bittrex, and Bitstamp.
It does so by stealing cookies and cryptocurrency exchange passwords saved in Google Chrome. It also targets other data, such as text messages stored in a user’s iTunes backups. Presumably, other data that’s commonly stored in browsers — like credit card details — may also be at risk.
Worryingly, CookieMiner even has a method to bypass two-factor authentication. By stealing authentication cookies, an attacker can make a login attempt appear like it’s coming from a “previously verified session.”
In other words, CookieMiner can help hackers trick a computer into not asking for additional verification.
But CookieMiner doesn’t stop there. The malware can also covertly install coin mining software on an impacted user’s system. That could lead to an attacker leveraging a computer’s resources to mine additional cryptocurrency without the user’s knowledge.
Palo Alto Networks notes that the malware appears similar to previous attacks, such as OSX-DarthMiner. The crypto-mining hijacking software also bears a resemblance to mining platforms like XMRIG.
Additionally, the malware doesn’t contain enough data to suggest who could be behind it. Even the coin that it mines, Koto, is a Japanese-based privacy coin that doesn’t leave much of a trail.
What Should I Do?
If you’re worried about CookieMiner or similar malware targeting your Mac, there are a few things you can do to try and avoid it.
Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42, urges users not to save passwords, credit cards or sensitive information in their browser.
She notes that that browser-saved information is a common vector for attack, and even recommends users clear their browser caches regularly after logging into sensitive websites like financial institutions or cryptocurrency accounts. “It’s quick and ensures the data is not within web browsers to steal,” she said.