New malware is used by hackers, designed to steal  cookies to the crypto currency wallets. According to Palo Alto’s Unit 42 report, the malware, known as an offshot of OSX.

DarthMiner is able to steal browser cookies linked to currency exchanges and digital wallet services, passwords, usernames and credit card information saved in Chrome and iPhone text messages from iTunes backups on the tethered Mac. By getting a lot of user’s personal information, bad actors are able to bypass multi-factor authentications for this sites.

According to Unit 42 this task is doable because of legitimate extraction and decryption capabilities built into Chrome by the Google Chromium Project. If malware gets enough information, the hacker is able to access user’s wallet and exchange.

The next step for the malware is to install a cryptomining software to victim’s device. This software (which looks like a mill version of XMRig, but is mining Koto cryptocurrency and not Monero, like usual XMRig does) also install EmPyre backdoor to maintain backdoor presence. The stolen information is uploaded upon command to the command and control server.