New Mac OS malware capable of performing a variety of actions related to cryptocurrency mining and theft was detailed in a blog post by Palo Alto Networks’ Unit 42 security research team on Thursday. The malware is designed to steal Chrome or Safari cookies of cryptocurrency exchanges and wallet services, as well as saved passwords and credit cards in Chrome. It also attempts to steal iPhone text messages from iTunes backups, which Unit 42 researchers said they believe could be used to bypass two-factor authentication (2FA) for cryptocurrency exchanges.
Taken together, this access would allow attackers to login to exchange or wallet services using victims’ accounts, and use those funds as if they were the victim. Oddly, the malware also loads mining software for the Koto cryptocurrency, used primarily in Japan, though the mining package is called “xmrig2” in order to disguise it as a Monero miner.
To maintain control of a system following infection, the malware uses the EmPyre package to send commands to a victim’s machine.
The Koto malware is only a year old, as it was publicly introduced in January 2018, though adoption of the cryptocurrency is not high in general. Presently, the valuation of 1 Koto is 0.00000047 BTC, equaling roughly $0.16 USD. Twelve mining pools for Koto exist, of which the malware connects to the Maruru Pool. Other pools include “Adult Independent Research” and “DragonPool.”
Though it may seem peculiar to develop Mac malware for a relatively unpopular Japanese altcoin, Mac OS has a 22.4% market share in Japan, according to Statcounter.
For tips on how to protect Macs from malware threats like this, check out this TechRepublic article.
The big takeaways for tech leaders:
- The CookieMiner Mac malware combines a number of strategies to commandeer control of cryptocurrency wallets and exchanges, and maintain control of the victim’s computer.
- The malware attempts to mine the Koto cryptocurrency, which is next to worthless.