Mac Malware of 2019 Report

The “Mac Malware of 2019” report provides a comprehensive analysis of new Mac malware specimens and variants that emerged throughout the year. It covers various aspects, including infection vectors, persistence mechanisms, and the ultimate goals of the malware. One notable example is CookieMiner, a cryptominer that also steals user cookies and passwords, potentially granting attackers access to victims’ online cryptocurrency accounts and wallets. The report also mentions other malware families like Yort, Siggen, BirdMiner, Netwire, Mokes.B, and GMERA, some attributed to the Lazarus Group. This report is important for defenders as it highlights the evolving threat landscape targeting macOS and provides actionable insights for detection and prevention.

Attack Chain

1. Initial infection vector is unknown, but suspected to be third-party store downloads.
2. The malware installs two launch agents via a shell script named uploadminer.sh to establish persistence. The script downloads property lists to ~/Library/LaunchAgents.
3. The first launch agent (com.apple.rig2.plist) persists a cryptocurrency mining binary named xmrig2.
4. The second launch agent (com.proxy.initialize.plist) executes inline python commands, including a base64 encoded chunk of data, achieving persistence.
5. The xmrig2 binary mines the Koto cryptocurrency, using the pool koto-pool.work.
6. The malware steals cookies from Safari by copying the Cookies.binarycookies file, zipping it, and exfiltrating it to 46.226.108.171. The cookies are checked for cryptocurrency exchange association.
7. The malware downloads a Python script named harmlesslittlecode.py to extract saved login credentials and credit card information from Google Chrome.
8. Stolen data, including cookies and passwords, are used to bypass 2FA on cryptocurrency exchanges, granting attackers full control of victims’ accounts.

Impact

A successful CookieMiner infection can lead to significant financial loss for victims. By stealing cookies, passwords, and potentially SMS data, attackers can bypass multi-factor authentication on cryptocurrency exchanges and wallets. This allows them to drain accounts and make unauthorized transactions. The report does not specify the number of victims or the exact financial impact, but it highlights the potential for substantial damage.

Recommendation

• Monitor for the creation of launch agents in ~/Library/LaunchAgents that execute suspicious binaries or scripts, based on the persistence mechanism used by CookieMiner (Attack Chain steps 2-4).
• Detect connections to known cryptocurrency mining pools, such as koto-pool.work, used by the xmrig2 miner (IOC: domain).
• Implement the Sigma rule “Detect CookieMiner Cookie Stealing” to identify exfiltration of Safari cookie files to the C2 server 46.226.108.171 (IOC: ip).