New MacOS Exploit Steals Login Credentials and ‘Cryptojacks’

Colin Muller

A new exploit for the MacOS operating system targets users’ browsing history in order to gain access to cryptoasset exchanges, cybersecurity researchers at Malwarebytes.com have found.

The exploit, named CookieMiner, targets the Safari browser to collects users’ cookie files, which are used to display false familiarity to websites. The cookie files are presented with other user credentials in order to gain access to users’ accounts - whereas otherwise most well-secured websites would ask the user to confirm a new device or location.

But CookieMiner also targets the Chrome browser. The exploit detects when credit card information is being entered and attempts to steal details, as well as login credentials and other useful information.

Users who sync their iPhones with their Macs can also be in trouble, as CookieMiner can steal text messages backed up to the computer. All of the above information is uploaded to a server controlled by the attackers.

If all this wasn’t enough, CookieMiner includes so-called “cryptojacking” mining functions. The exploit harnesses the victim’s computer’s CPU power to mine a (very) little-known cryptocurrency called Koto, a fork of ZCash (ZEC). The Monero (XMR) privacy currency is the more typical candidate for such operations, and the malicious file itself is even called “xmrig2,” perhaps in an attempt at misinformation.

Don’t Sail the High Seas

Malwarebytes found CookieMiner in a fake version of pirated software - specifically, a pirated piece of Adobe software called Zii which is the first step to gaining access to other pirated Adobe programs such as Photoshop and Illustrator.

Cybersecurity firm Kaspersky recently issued a report finding that such cryptojacking attacks are again on the rise, in lieu of ransomware attacks. What’s more, this is not even the first time that Adobe software has been singled out as an attack vector - as CryptoGlobe reported a few months ago, fake Flash updates had been used to inject Monero mining software onto users’ machines.