Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

Mozilla announced on Tuesday that the latest update for Firefox patched a critical type confusion zero-day that had been exploited in targeted attacks. The Tor Project has also updated its browser, which is based on Firefox, to address the vulnerability.

The flaw was reported to Mozilla by the security team at cryptocurrency exchange Coinbase and Samuel Groß of Google Project Zero, but initially no details were made available on the attacks.

Philip Martin of the Coinbase security team revealed on Twitter that CVE-2019-11707 had been used alongside another unpatched Firefox vulnerability, a sandbox escape weakness, to target Coinbase employees. Martin said the attackers also targeted other cryptocurrency-related organizations.

After seeing the indicators of compromise (IoCs) made public by Martin, including malware hashes and command and control (C&C) IP addresses, FireEye’s Nick Carr revealed that they matched uncategorized activity observed by FireEye between 2017 and 2019. The attacks seen by FireEye had been aimed at financial institutions and cryptocurrency exchanges.

Security researcher Vitali Kremez, who has analyzed the payloads delivered via the new Firefox exploit, reported uncovering some links to recent attacks involving a WinRAR zero-day. Kremez described the malware as a “stealer.”

macOS security expert Patrick Wardle has obtained a sample of the macOS malware delivered via CVE-2019-11707. He got the sample from an individual who claimed to have received it via an email that referenced the Adams Prize, a prestigious prize awarded by the University of Cambridge in the UK. The targeted person said he had been involved until fairly recently with a cryptocurrency exchange.

Wardle’s analysis revealed significant similarities to OSX.Netwire (Wirenet), a piece of malware that emerged in 2012. The old malware was designed to steal passwords from Linux and OS X systems.

While there are significant similarities, the researcher says the new and the old malware are also very different and they seem to have different objectives — the old malware was only designed to steal passwords, while the new threat has other capabilities that Wardle plans on detailing in an upcoming blog post. The expert believes they were both created by the same developer or team of developers.

Interestingly, the new macOS malware bypassed Apple’s Gatekeeper security system — Gatekeeper only scans files that are downloaded by users via normal methods, not files downloaded via an exploit — but Apple’s XProtect system does detect the malware based on a Yara signature added by the company in 2016 for a version of Netwire.

According to VirusTotal, the sample of the macOS malware delivered via the latest Firefox zero-day is only detected by security solutions from Symantec and China’s Tencent.

UPDATED. The article incorrectly stated that both Windows and macOS malware had been used in the attacks. Vitali Kremez told SecurityWeek that he has no evidence of any Windows malware being served, but pointed out that the “referenced hashes and IOCs are clearly related to the PE32 malware.”