Palo Alto Networks’ Unit 42 recently discovered malware that they believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform. This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims. It also steals saved passwords in Chrome. Finally, it seeks to steal iPhone text messages from iTunes backups on the tethered Mac.
By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, Palto Alto believes the bad actors could bypass multifactor authentication for these sites. If successful, the attackers would have full access to the victim’s exchange account and/or wallet and be able to use those funds as if they were the user themselves. The malware also configures the system to load coinmining software on the system. This software is made to look like an XMRIG-type coinminer, which is used to mine Monero. In fact, though, it loads a coinminer that mine Koto, a lesser-known cryptocurrency that is associated with Japan.
Because of the way this malware attacks the cookies associated with exchanges, Palto Alto has named this malware “CookieMiner”. In the following sections, They will first briefly introduce some background knowledge, and then dig into the technical details of the malware’s behaviors.
Background
Web cookies are widely used for authentication. Once a user logs into a website, its cookies are stored for the web server to know the login status. If the cookies are stolen, the attacker could potentially sign into the website to use the victim’s account. Stealing cookies is an important step to bypass login anomaly detection. If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login. However, if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods.
A cryptocurrency exchange is a place to trade cryptocurrencies for other assets, such as other digital (crypto)currencies or conventional fiat money. Most modern cryptocurrency exchanges and online wallet services have multi-factor authentication. CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages, and web cookies. If the bad actors successfully enter the websites using the victim’s identity, they could perform fund withdrawals. This may be a more efficient way to generate profits than outright cryptocurrency mining. Furthermore, attackers could manipulate the cryptocurrency prices with large-volume buying and/or selling of stolen assets resulting in additional profits.
Technical Details
A rundown of CookieMiner’s behaviors (discussed in more detail in the following sections):
-Steals Google Chrome and Apple Safari browser cookies from the victim’s machine
-Steals saved usernames and passwords in Chrome
-Steals saved credit card credentials in Chrome
-Steals iPhone’s text messages if backed up to Mac
-Steals cryptocurrency wallet data and keys
-Keeps full control of the victim using the EmPyre backdoor
-Mines cryptocurrency on the victim’s machine Stealing Cookies
The CookieMiner attack begins with a shell script targeting MacOS. It copies the Safari browser’s cookies to a folder, and uploads it to a remote server (46.226.108[.]171:8000). The server hosts the service “curldrop” (https://github.com/kennell/curldrop), which allows users to upload files with curl. The attack targets cookies associated with cryptocurrencyexchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having “blockchain” in its domain name such as www.blockchain.com.
Stealing Credit Cards, Passwords, Wallets and SMS
Apple’s Safari is not the only web browser targeted. Google Chrome also attracts the threat actors’ attention due to its popularity. CookieMiner downloads a Python script named “harmlesslittlecode.py” to extract saved login credentials and credit card information from Chrome’s local data storage.
Stealing Credit Cards, Passwords, Wallets and SMS Apple’s Safari is not the only web browser targeted. Google Chrome also attracts the threat actors’ attention due to its popularity. CookieMiner downloads a Python script named “harmlesslittlecode.py” to extract saved login credentials and credit card information from Chrome’s local data storage.
CookieMiner adopts techniques from the Google Chromium project’s code for its decryption and extraction operations and abuses them. Google Chromium is an open-source version of the Google Chrome browser. By abusing these techniques, CookieMiner attempts to steal credit card information from major issuers, such as Visa, Mastercard, American Express, and Discover. The user’s saved login credentials are also stolen, including usernames, passwords, and the corresponding web URLs.
CookieMiner reports all the wallet-related file paths to its remote server so it can later upload the files according to the C2 commands. These files usually include private keys of cryptocurrency wallets. If the victims use iTunes to backup files from iPhone to Mac (can be via Wi-Fi), their iPhone text messages (SMSFILE) will also be retrieved by the attackers.
Cryptocurrency Mining
CookieMiner issues a series of commands to configure the victim’s machine to mine cryptocurrency and maintain persistence. The program xmrig2 is a Mach-O executable for mining cryptocurrency. As seen in Figure 7, the address “k1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H” has considerable mining performance. It has been ranked as a top miner in the Maruru mining pool (kotopool.work). The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency. The addresses use the “Yescrypt” algorithm which is good for CPU miners but not ideal for GPU miners. This is ideal for malware as the victim hosts are not guaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available. However, the filename xmrig2 is usually used by Monero miners. Palto Alto believes the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency.
Remote Control
For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[.]pw/OAZG. After several steps of deobfuscation, Palto Alto found the attackers using EmPyre for post-exploitation control. EmPyre is a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture. The attacker is able to send commands to the victim’s machine for remote control. Additionally, the agent checks if Little Snitch (an application firewall) is running on the victim’s host. If so, it will stop and exit.
Conclusion
The malware “CookieMiner” is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated. Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage. Customers of Palo Alto Networks are protected by WildFire that is able to automatically detect the malware. AutoFocus users can track this activity by using the StealCookie tag.
