Connect with us

Hi, what are you looking for?



Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

Mozilla announced on Tuesday that the latest update for Firefox patched a critical type confusion zero-day that had been exploited in targeted attacks. The Tor Project has also updated its browser, which is based on Firefox, to address the vulnerability.

The flaw was reported to Mozilla by the security team at cryptocurrency exchange Coinbase and Samuel Groß of Google Project Zero, but initially no details were made available on the attacks.

Philip Martin of the Coinbase security team revealed on Twitter that CVE-2019-11707 had been used alongside another unpatched Firefox vulnerability, a sandbox escape weakness, to target Coinbase employees. Martin said the attackers also targeted other cryptocurrency-related organizations.

After seeing the indicators of compromise (IoCs) made public by Martin, including malware hashes and command and control (C&C) IP addresses, FireEye’s Nick Carr revealed that they matched uncategorized activity observed by FireEye between 2017 and 2019. The attacks seen by FireEye had been aimed at financial institutions and cryptocurrency exchanges.

Security researcher Vitali Kremez, who has analyzed the payloads delivered via the new Firefox exploit, reported uncovering some links to recent attacks involving a WinRAR zero-day. Kremez described the malware as a “stealer.”

macOS security expert Patrick Wardle has obtained a sample of the macOS malware delivered via CVE-2019-11707. He got the sample from an individual who claimed to have received it via an email that referenced the Adams Prize, a prestigious prize awarded by the University of Cambridge in the UK. The targeted person said he had been involved until fairly recently with a cryptocurrency exchange.

Advertisement. Scroll to continue reading.

Wardle’s analysis revealed significant similarities to OSX.Netwire (Wirenet), a piece of malware that emerged in 2012. The old malware was designed to steal passwords from Linux and OS X systems.

While there are significant similarities, the researcher says the new and the old malware are also very different and they seem to have different objectives — the old malware was only designed to steal passwords, while the new threat has other capabilities that Wardle plans on detailing in an upcoming blog post. The expert believes they were both created by the same developer or team of developers.

Interestingly, the new macOS malware bypassed Apple’s Gatekeeper security system — Gatekeeper only scans files that are downloaded by users via normal methods, not files downloaded via an exploit — but Apple’s XProtect system does detect the malware based on a Yara signature added by the company in 2016 for a version of Netwire.

According to VirusTotal, the sample of the macOS malware delivered via the latest Firefox zero-day is only detected by security solutions from Symantec and China’s Tencent.

UPDATED. The article incorrectly stated that both Windows and macOS malware had been used in the attacks. Vitali Kremez told SecurityWeek that he has no evidence of any Windows malware being served, but pointed out that the “referenced hashes and IOCs are clearly related to the PE32 malware.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.