Rewterz Threat Alert – Malware Steals Cryptocurrency Wallets and Credit Card Credentials

Wednesday, February 6, 2019

SEVERITY : Medium

CATEGORY: Cyber-crime

CookieMiner is a new malware strain ex-filtrating web browser cookies related to online wallet services and crypto-currency exchange websites. It’s able to peek through passwords, text messages, and credit card credentials on Mac devices, reports BleepingComputer. For a codified and secure communication, these attackers use EmPyre Backdoor for sending arbitrary commands to the target Macs post initial infection.

The attack starts with a shell script which starts collecting browser cookies associated with cryptocurrency and uploads them to a remote server. The Malware mines for cryptocurrencies including Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having a domain name associated with blockchain.

The malware extracts credit card information and login credentials through the data stored locally by both Apple’s Safari and Google’s Chrome. The malware is also designed to scan for wallet information.

IMPACT

  • Steals Google Chrome and Apple Safari browser cookies from the victim’s machine
  • Steals saved usernames and passwords in Chrome
  • Steals saved credit card credentials in Chrome
  • Steals iPhone’s text messages if backed up to Mac
  • Steals cryptocurrency wallet data and keys
  • Keeps full control of the victim using the EmPyre backdoor
  • Mines cryptocurrency on the victim’s machine.

INDICATORS OF COMPROMISE


IP(s) / Hostname(s)

46.226.108[.]171

URLs

hxxps://ptpb[.]pw/OAZG

Filename

  • OAZG
  • com[.]apple[.]rig2[.]plist
  • output[.]115113432[.]txt
  • com[.]proxy[.]initialize[.]plist
  • xmrig2
  • harmlesslittlecode[.]py
  • uploadminer[.]sh

Malware Hash (MD5/SHA1/SH256)

27ccebdda20264b93a37103f3076f6678c3446a2c2bfd8a73111dbc8c7eeeb71

91b3f5e5d3b4e669a49d9c4fc044d0025cabb8ebb08f8d1839b887156ae0d6dd

cdb2fb9c8e84f0140824403ec32a2431fb357cd0f184c1790152834cc3ad3c1b

ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05

c65e65207f6f9f8df05e02c893de5b3c04825ac67bec391f0b212f4f33a31e80

485c2301409a238affc713305dc1a465afa9a33696d58e8a84e881a552b82b06


Remediation

Block the threat indicators at their respective controls. Do not save any credentials on these browsers.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

Copyright © Rewterz. All rights reserved.