Into The Technical Details
The malware also configures the system to load coinmining software on the system. The program xmrig2 is a Mach-O executable for mining cryptocurrency. The server hosts the service “curldrop” able to automatically detect the malware. It also steals saved passwords in Chrome.226.Remote Control For persistence and remote control, the script downloads another base64-encoded Python script from Conclusion The malware “CookieMiner” is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency.
If so, it will stop and exit. Finally, it seeks to steal iPhone text mesغير مجاز مي باشدes from iTunes backups on China blow molding machine manufacturer the tethered Mac. The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated. Palto Alto believes the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency. This software is made to look like an XMRIG-type coinminer, which is used to mine Monero. The user’s saved login credentials are also stolen, including usernames, passwords, and the corresponding web URLs. However, if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods.com/kennell/curldrop), which allows users to upload files with curl.
In fact, though, it loads a coinminer that mine Koto, a lesser-known cryptocurrency that is associated with Japan. It has been ranked as a top miner in the Maruru mining pool (kotopool. The attacker is able to send commands to the victim’s machine for remote control. If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login. After several steps of deobfuscation, Palto Alto found the attackers using EmPyre for post-exploitation control.CookieMiner adopts techniques from the Google Chromium project’s code for its decryption and extraction operations and abuses them.
This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims. In the following sections, They will first briefly introduce some background knowledge, and then dig into the technical details of the malware’s behaviors. It copies the Safari browser’s cookies to a folder, and uploads it to a remote server (46. By abusing these techniques, CookieMiner attempts to steal credit card information from major issuers, such as Visa, Mastercard, American Express, and Discover.
برچسب: ،