Skip to content

S0492 CookieMiner

CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.1

Item Value
ID S0492
Associated Names
Type MALWARE
Version 1.1
Created 22 July 2020
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell CookieMiner has used a Unix shell script to run a series of commands targeting macOS.1
enterprise T1059.006 Python CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.1
enterprise T1005 Data from Local System CookieMiner has retrieved iPhone text messages from iTunes phone backup files.1
enterprise T1140 Deobfuscate/Decode Files or Information CookieMiner has used Google Chrome’s decryption and extraction operations.1
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol CookieMiner has used the curl –upload-file command to exfiltrate data over HTTP.1
enterprise T1083 File and Directory Discovery CookieMiner has looked for files in the user’s home directory with “wallet” in their name using find.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall CookieMiner has checked for the presence of “Little Snitch”, macOS network monitoring and application firewall software, stopping and exiting if it is found.1
enterprise T1105 Ingress Tool Transfer CookieMiner can download additional scripts from a web server.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation CookieMiner has used base64 encoding to obfuscate scripts on the system.1
enterprise T1496 Resource Hijacking CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency. 1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery CookieMiner has checked for the presence of “Little Snitch”, macOS network monitoring and application firewall software, stopping and exiting if it is found.1
enterprise T1539 Steal Web Session Cookie CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. 1

References

  1. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.