Phone : +91 95 8290 7788 | Email :

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Cookieminer: New malware targets Macs to steal from cryptocurrency wallets

Cookieminer: New malware targets Macs to steal from cryptocurrency wallets

Malware can bypass multi-factor authentication to gain access to cryptocurrency wallets – and also drops mining malware on infected machines.

Mac users are being targeted with newly discovered Mac malware that aims to steal the contents of cryptocurrency wallets.

Dubbed CookieMiner by researchers because of its capability for stealing browser cookies associated with cryptocurrency exchanges and wallet service websites visited by the victim, the malware has been uncovered by Palo Alto Networks.

In addition to stealing and trading the contents of cryptocurrency wallets, CookieMiner also plants a cryptojacker onto the infected OSX machine, enabling the attackers to secretly mine for additional digital currency. In this instance, it’s Koto, a lesser-known cryptocurrency that offers users anonymity. It’s mostly used in Japan.

It’s still unknown how the newly detected malware gains access to systems, but once there, CookieMiner examines browser cookies with links to cryptocurrency exchanges and websites that reference blockchain. Exchanges targeted include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet.

Using a Shellscript, it steals Google Chrome and Apple Safari browser cookies from the victim’s machine, uploading them to a folder on a remote server. By doing this, it can extract the required login credentials and the cookies required to make it look as if the new login attempt is coming from a machine previously used by the victim — therefore preventing it from looking suspect.

“What it wants to do in combination with credentials which it’s harvested is impersonate that user from their own system,” Alex Hinchliffe, threat intelligence analyst at Palo Alto Networks’ Unit 42 research division told ZDNet. “So they use the cookies to try and get past that initial login without suspicion.”

It isn’t just the victim’s Mac that is targeted by CookieMiner — if the victim has used iTunes to sync their Mac with their iPhone, the malware can also access text messages. This potentially allows the attackers to steal login codes and other messages that they can abuse to bypass any two-factor authentication the users have applied to their cryptocurrency accounts.

Once the attackers have access to the wallets, they have all the same privileges as the user, which they can use to steal the contents of the wallet. It’s also possible that the attackers could game the system, trading large amounts of cryptocurrency in an effort to boost valuations for their own ends.

“If the adversary gets access to someone’s account on the exchange, they can buy and sell cryptocurrency. Buying and selling a lot could change the price of the cryptocurrency, in which case they can use it to profit,” said Hinchliffe.

The attack isn’t over after the adversaries are done using the wallets — they drop a cryptocurrency miner that appears to be highly active, ranking as the top miner for Koto.

Filenames associated with the wallet reference xmrig, something usually used by Monero miners, but it’s thought that the attackers have employed this with their Koto scheme in order to generate confusion.

CookieMiner also drops a script for persistence and remote control of the infected machine, allowing them to check-in on the machine and send commands — although all of this currently appears to be related to mining. It’s believed that the cyber criminal campaign is still active and researchers recommend that cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India













What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.


Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.


Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : | Support Email :

Register & Request Quote | Submit Support Ticket