{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cryptominer/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Firefox","OnyX","Deeper","Gatekeeper"],"_cs_severities":["high"],"_cs_tags":["cryptominer","macos","malware"],"_cs_type":"advisory","_cs_vendors":["Mozilla","Apple"],"content_html":"\u003cp\u003eOSX/CreativeUpdater is a macOS cryptominer that was distributed in early February 2018 via compromised download links on the popular MacUpdate website. The attack involved modifying download links for applications like Firefox, OnyX, and Deeper to point to a hacker-controlled URL (download-installer.cdn-mozilla.net) serving a trojanized version of the application. This trojanized application, disguised as a legitimate application and signed with an Apple Developer ID (Ramos Jaxson), bypasses Gatekeeper\u0026rsquo;s default security settings. Once executed, the malware installs a persistent payload designed to mine Monero, impacting system performance and potentially allowing for future customized payloads. The use of MacUpdate as an infection vector allowed the malware to potentially infect a large number of macOS users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser visits MacUpdate and downloads a popular application (e.g., Firefox) from a compromised link.\u003c/li\u003e\n\u003cli\u003eThe user downloads a signed disk image (.dmg) containing a trojanized application bundle.\u003c/li\u003e\n\u003cli\u003eThe user mounts the disk image, bypassing Gatekeeper due to valid developer signature (Apple Developer ID: Ramos Jaxson).\u003c/li\u003e\n\u003cli\u003eThe user executes the trojanized application (e.g., Firefox.app), which in turn executes a script file located within the application\u0026rsquo;s Resources directory.\u003c/li\u003e\n\u003cli\u003eThe script downloads a zip file (mdworker.zip) from a remote server (\u003ca href=\"https://public.adobecc.com/files/1U14RSV3MVAHBMEGVS4LZ42AFNYEFF\"\u003ehttps://public.adobecc.com/files/1U14RSV3MVAHBMEGVS4LZ42AFNYEFF\u003c/a\u003e) and unzips it into the user\u0026rsquo;s Library folder (~/Library/mdworker/).\u003c/li\u003e\n\u003cli\u003eThe script creates a LaunchAgent file (MacOSupdate.plist) in ~/Library/LaunchAgents/ to achieve persistence.\u003c/li\u003e\n\u003cli\u003eThe LaunchAgent loads, which in turn downloads another plist file (MacOS.plist) from a remote server (\u003ca href=\"https://public.adobecc.com/files/1UJET2WD0VPD5SD0CRLX0EH2UIEEFF)\"\u003ehttps://public.adobecc.com/files/1UJET2WD0VPD5SD0CRLX0EH2UIEEFF)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eThe second plist file (MacOS.plist) executes the \u0026lsquo;mdworker\u0026rsquo; binary, which is the MinerGate command-line cryptominer (minergate-cli), configured to mine Monero (XMR) using specific email addresses and, in some cases, a SOCKS proxy.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection leads to the installation of a Monero cryptominer on the victim\u0026rsquo;s macOS system. This results in high CPU usage and reduced system performance. The malware periodically connects to minergate.com, passing the email address as a login. The compromised applications included Firefox, OnyX and Deeper. Although the exact number of victims is unknown, the use of the popular MacUpdate platform as a distribution vector suggests a potentially wide impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious MacOSupdate.plist Launch Agent\u0026rdquo; to detect malicious launch agent files in the ~/Library/LaunchAgents/ directory.\u003c/li\u003e\n\u003cli\u003eBlock the following domains at the DNS resolver to prevent the downloading of malicious payloads: public.adobecc.com and minergate.com (IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor process execution for \u0026lsquo;mdworker\u0026rsquo; running from the ~/Library/mdworker/ directory and alert if found (Sigma rule).\u003c/li\u003e\n\u003cli\u003eInspect network connections for connections to the IP address 104.236.13.101 on port 1080, as this was used as a SOCKS proxy (IOC table).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:22:00Z","date_published":"2024-01-26T18:22:00Z","id":"/briefs/2024-01-26-creativeupdater/","summary":"OSX/CreativeUpdater is a macOS cryptominer distributed through compromised download links on the MacUpdate website, using a trojanized application bundle to execute a script that downloads and installs a persistent Monero miner using launch agents.","title":"OSX/CreativeUpdater Cryptominer Distributed via MacUpdate","url":"https://feed.craftedsignal.io/briefs/2024-01-26-creativeupdater/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CleanMy Mac X","Firefox"],"_cs_severities":["high"],"_cs_tags":["macos","malware","cryptominer","cookie-stealing"],"_cs_type":"threat","_cs_vendors":["Malwarebytes","Airo AV","Palo Alto Networks"],"content_html":"\u003cp\u003eThe \u0026ldquo;Mac Malware of 2019\u0026rdquo; report provides a comprehensive analysis of new Mac malware specimens and variants that emerged throughout the year. It covers various aspects, including infection vectors, persistence mechanisms, and the ultimate goals of the malware. One notable example is CookieMiner, a cryptominer that also steals user cookies and passwords, potentially granting attackers access to victims\u0026rsquo; online cryptocurrency accounts and wallets. The report also mentions other malware families like Yort, Siggen, BirdMiner, Netwire, Mokes.B, and GMERA, some attributed to the Lazarus Group. This report is important for defenders as it highlights the evolving threat landscape targeting macOS and provides actionable insights for detection and prevention.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial infection vector is unknown, but suspected to be third-party store downloads.\u003c/li\u003e\n\u003cli\u003eThe malware installs two launch agents via a shell script named \u003ccode\u003euploadminer.sh\u003c/code\u003e to establish persistence. The script downloads property lists to \u003ccode\u003e~/Library/LaunchAgents\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe first launch agent (\u003ccode\u003ecom.apple.rig2.plist\u003c/code\u003e) persists a cryptocurrency mining binary named \u003ccode\u003exmrig2\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe second launch agent (\u003ccode\u003ecom.proxy.initialize.plist\u003c/code\u003e) executes inline python commands, including a base64 encoded chunk of data, achieving persistence.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003exmrig2\u003c/code\u003e binary mines the Koto cryptocurrency, using the pool \u003ccode\u003ekoto-pool.work\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware steals cookies from Safari by copying the \u003ccode\u003eCookies.binarycookies\u003c/code\u003e file, zipping it, and exfiltrating it to \u003ccode\u003e46.226.108.171\u003c/code\u003e. The cookies are checked for cryptocurrency exchange association.\u003c/li\u003e\n\u003cli\u003eThe malware downloads a Python script named \u003ccode\u003eharmlesslittlecode.py\u003c/code\u003e to extract saved login credentials and credit card information from Google Chrome.\u003c/li\u003e\n\u003cli\u003eStolen data, including cookies and passwords, are used to bypass 2FA on cryptocurrency exchanges, granting attackers full control of victims\u0026rsquo; accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful CookieMiner infection can lead to significant financial loss for victims. By stealing cookies, passwords, and potentially SMS data, attackers can bypass multi-factor authentication on cryptocurrency exchanges and wallets. This allows them to drain accounts and make unauthorized transactions. The report does not specify the number of victims or the exact financial impact, but it highlights the potential for substantial damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of launch agents in \u003ccode\u003e~/Library/LaunchAgents\u003c/code\u003e that execute suspicious binaries or scripts, based on the persistence mechanism used by CookieMiner (Attack Chain steps 2-4).\u003c/li\u003e\n\u003cli\u003eDetect connections to known cryptocurrency mining pools, such as \u003ccode\u003ekoto-pool.work\u003c/code\u003e, used by the \u003ccode\u003exmrig2\u003c/code\u003e miner (IOC: domain).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect CookieMiner Cookie Stealing\u0026rdquo; to identify exfiltration of Safari cookie files to the C2 server \u003ccode\u003e46.226.108.171\u003c/code\u003e (IOC: ip).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-mac-malware-2019/","summary":"The Mac Malware of 2019 report details various Mac malware specimens and variants, including CookieMiner, a cryptominer that steals user cookies and passwords, likely to give attackers access to victims' online accounts and wallets; CookieMiner persists via launch agents and exfiltrates browser cookies to a remote C2 server.","title":"Mac Malware of 2019 Report","url":"https://feed.craftedsignal.io/briefs/2024-01-mac-malware-2019/"}],"language":"en","title":"CraftedSignal Threat Feed — Cryptominer","version":"https://jsonfeed.org/version/1.1"}