The researchers have dubbed the malware CookieMiner, and it’s believed it was developed from an earlier malware known as OSX.DarthMiner that was identified in 2018.
The CookieMiner malware is able to steal a users password and login information from Chrome, obtain browser authentication cookies associated with cryptocurrency exchanges, and even access iTunes backups containing text messages in order to piece together the information required to bypass two-factor authentication and gain access to the victim’s cryptocurrency wallet and steal their cryptocurrency.
Even if the malware was unable to access any cryptocurrency, it will install software on the Mac which will mine more cryptocurrency.
Unit 42 recommends that Mac users clear their browser caches after logging in to financial accounts.
Since it seems to be able to steal passwords and cookies from Chrome we suggest using an alternative web browser on the Mac. In relation to the gaining access to text messages saved in iTunes backups, it seems that it can only access backups made to the Mac, so if you backup to iCloud you should be safe. Obviously the other advice is to be wary of anything you install on your Mac especially if it is related to cryptocurrency.
You may think you are unlikely to fall fowl to such an exploit, but last year CoinTicker malware was found that displayed the current price of Bitcoin and other cryptocurrencies, thereby looking useful, while it was also installing a backdoor and installing the rather ominous sounding OSX.EvilEgg malware.