Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

Mozilla announced on Tuesday that the latest update for Firefox patched a critical type confusion zero-day that had been exploited in targeted attacks. The Tor Project has also updated its browser, which is based on Firefox, to address the vulnerability.

The flaw was reported to Mozilla by the security team at cryptocurrency exchange Coinbase and Samuel Groß of Google Project Zero, but initially no details were made available on the attacks.

Philip Martin of the Coinbase security team revealed on Twitter that CVE-2019-11707 had been used alongside another unpatched Firefox vulnerability, a sandbox escape weakness, to target Coinbase employees. Martin said the attackers also targeted other cryptocurrency-related organizations.

After seeing the indicators of compromise (IoCs) made public by Martin, including malware hashes and command and control (C&C) IP addresses, FireEye’s Nick Carr revealed that they matched uncategorized activity observed by FireEye between 2017 and 2019. The attacks seen by FireEye had been aimed at financial institutions and cryptocurrency exchanges.

Security researcher Vitali Kremez, who has analyzed the payloads delivered via the new Firefox exploit, reported uncovering some links to recent attacks involving a WinRAR zero-day. Kremez described the malware as a “stealer.”

macOS security expert Patrick Wardle has obtained a sample of the macOS malware delivered via CVE-2019-11707. He got the sample from an individual who claimed to have received it via an email that referenced the Adams Prize, a prestigious prize awarded by the University of Cambridge in the UK. The targeted person said he had been involved until fairly recently with a cryptocurrency exchange.

Wardle’s analysis revealed significant similarities to OSX.Netwire (Wirenet), a piece of malware that emerged in 2012. The old malware was designed to steal passwords from Linux and OS X systems.

Advertisement. Scroll to continue reading.

While there are significant similarities, the researcher says the new and the old malware are also very different and they seem to have different objectives — the old malware was only designed to steal passwords, while the new threat has other capabilities that Wardle plans on detailing in an upcoming blog post. The expert believes they were both created by the same developer or team of developers.

Interestingly, the new macOS malware bypassed Apple’s Gatekeeper security system — Gatekeeper only scans files that are downloaded by users via normal methods, not files downloaded via an exploit — but Apple’s XProtect system does detect the malware based on a Yara signature added by the company in 2016 for a version of Netwire.

According to VirusTotal, the sample of the macOS malware delivered via the latest Firefox zero-day is only detected by security solutions from Symantec and China’s Tencent.

UPDATED. The article incorrectly stated that both Windows and macOS malware had been used in the attacks. Vitali Kremez told SecurityWeek that he has no evidence of any Windows malware being served, but pointed out that the “referenced hashes and IOCs are clearly related to the PE32 malware.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.