Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

Mozilla announced on Tuesday that the latest update for Firefox patched a critical type confusion zero-day that had been exploited in targeted attacks. The Tor Project has also updated its browser, which is based on Firefox, to address the vulnerability.

The flaw was reported to Mozilla by the security team at cryptocurrency exchange Coinbase and Samuel Groß of Google Project Zero, but initially no details were made available on the attacks.

Philip Martin of the Coinbase security team revealed on Twitter that CVE-2019-11707 had been used alongside another unpatched Firefox vulnerability, a sandbox escape weakness, to target Coinbase employees. Martin said the attackers also targeted other cryptocurrency-related organizations.

After seeing the indicators of compromise (IoCs) made public by Martin, including malware hashes and command and control (C&C) IP addresses, FireEye’s Nick Carr revealed that they matched uncategorized activity observed by FireEye between 2017 and 2019. The attacks seen by FireEye had been aimed at financial institutions and cryptocurrency exchanges.

Security researcher Vitali Kremez, who has analyzed the payloads delivered via the new Firefox exploit, reported uncovering some links to recent attacks involving a WinRAR zero-day. Kremez described the malware as a “stealer.”

macOS security expert Patrick Wardle has obtained a sample of the macOS malware delivered via CVE-2019-11707. He got the sample from an individual who claimed to have received it via an email that referenced the Adams Prize, a prestigious prize awarded by the University of Cambridge in the UK. The targeted person said he had been involved until fairly recently with a cryptocurrency exchange.

Wardle’s analysis revealed significant similarities to OSX.Netwire (Wirenet), a piece of malware that emerged in 2012. The old malware was designed to steal passwords from Linux and OS X systems.

While there are significant similarities, the researcher says the new and the old malware are also very different and they seem to have different objectives — the old malware was only designed to steal passwords, while the new threat has other capabilities that Wardle plans on detailing in an upcoming blog post. The expert believes they were both created by the same developer or team of developers.

Interestingly, the new macOS malware bypassed Apple’s Gatekeeper security system — Gatekeeper only scans files that are downloaded by users via normal methods, not files downloaded via an exploit — but Apple’s XProtect system does detect the malware based on a Yara signature added by the company in 2016 for a version of Netwire.

According to VirusTotal, the sample of the macOS malware delivered via the latest Firefox zero-day is only detected by security solutions from Symantec and China’s Tencent.

UPDATED. The article incorrectly stated that both Windows and macOS malware had been used in the attacks. Vitali Kremez told SecurityWeek that he has no evidence of any Windows malware being served, but pointed out that the “referenced hashes and IOCs are clearly related to the PE32 malware.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.