Monday, February 4, 2019

A New malware codenamed "CookieMiner" is targeting users of Apple devices. The malware is targeting the browser cookies of cryptocurrency exchange websites, cryptocurrency wallet websites and the corresponding credentials saved in the safari and chrome browsers.
Once the malware has infected the target system, it uses a shell script to scan the Safari and Chrome browsers for cookies that belong to known cryptocurrency exchanges and wallets including Binance, Bittrex, Bitstamp, Coinbase, Poloniex and MyEtherWallet, It then creates copies of the selected cookies and uploads them to the attackers server.
Next the malware runs a Python script called “harmlesslittlecode.py” to scan the browsers local storage folders to locate and extract saved account credentials and payment card information. In this Python script you can see that the attacker is targeting Visa, Mastercard, American Express, and Discover payment cards specifically (See attached image).
The malware then attempts to access text message data located in itunes backups to circumvent multi-factor authentication of the users account, To then gain full access to the victims cryptocurrency accounts and perform transactions on the victims behalf, on the victims own device without their knowledge.
Once the malware has completed its primary objective of locating and extracting the victims credentials as per the instructions from the command and control (C&C) server, A CPU optimised cryptocurrency miner that uses the "Yescrypt" algorithm, is downloaded that mines a fork of Zcash (ZEC) called koto (KOTO).
To persist the infection and maintain its foothold on the compromised device, The malware is using the post-exploitation package called "EmPyre", to maintain a permanent backdoor for remote control of the victims device.
With this backdoor inplace it is possible that the attacker can supply the compromised device with updates or additional exploits in the future. A list of the known Indicators Of Compromise (IOC), The Command and Control (C&C) server details, and the exploits used are listed in the comments below.
If you are a Mac or iPhone user, Please do not think that your devices are insusceptible to vulnerabilities or attacks from parties with malicious intent. Apple devices are not the 'be all and end all' of security that naive sales persons and users have led you to believe that they are. All consumer devices are vulnerable to attack if they are not maintained properly by the developers and the user.

No comments:

Post a Comment

M23 positions bombed on the Ngungu axis by the Sukhoi-25.

According to information from Frontline reaching us now,the Congolese army used its Sukhoi-25 fighter plane this Thursday, December 26, to t...