BlockThreat - Week 25, 2019

No hacks reported this week but an alarming report came from Coinbase exchange about getting targeted by a spear-phishing campaign and two 0day exploits. Several new malware families were also reported including a clever miner hiding in a pirated copy of an audio synthesizer software.

News:

• Firefox zero-day was used in attack against Coinbase employees, not its users - two weaponized 0day vulnerabilities were used in a targeted spear-phishing campaign against Coinbase employees. The malicious email would direct users a web page which would attempt to download and execute a first stage malware designed to steal user credentials and collect data about the environment. The attack was detected and blocked by Coinbase Security.
• Florida city pays $600,000 to ransomware gang to have its data back - the latest city-wide ransomware attack has ended with attackers getting paid 65 BTC. The city’s critical infrastructure including 911 dispatch were paralyzed as a result of the hack which contributed to the city making the decision to pay the ransom.
• QuadrigaCX founder used aliases, moved assets into personal accounts - more information was released regarding the failed exchange as a result of Ernst and Young audit. Gerald Cotten was revealed to have made massive transfers of investor funds to his personal accounts on other exchanges before his trip to India.

Bugs:

• Upcoming disclosure of pre-v0.17.1 vulnerabilities - two minor security vulnerabilities (CVE-2017-18350 and CVE-2018-20586) were patched in the most recent version of Bitcoin Core node software.

Malware:

• LoudMiner: Cross‑platform mining in cracked VST software - a really interesting cryptominer sample which came bundled with pirated copies of VST software. VST (Virtual Studio Technology) is a resource intensive audio synthesizer making it ideal to mask mining software. The miner itself was bundled as a QEMU virtual machine making it easy to execute on a variety of platforms and providing a degree of obfuscation.
  
  Indicators:
  vstcrack[.]com (137[.]74.151.144)
  d-d[.]host (185[.]112.158.44)
  d-d[.]live (185[.]112.156.227)
  d-d[.]space (185[.]112.157.79)
  m-m[.]icu (185[.]112.157.118)
  (see the link above for additional indicators)
  
• Malware sidesteps Google permissions policy with new 2FA bypass technique - a new Android malware sample capable of accessing one-time passwords (OTPs) in SMS 2FA messages bypassing previous SMS restrictions. The malware impersonates BtcTurk exchanges and designed to steal credentials for the service.
  
  Indicators:
  Android/FakeApp.KPbtcturk.pro.beta 8C93CF8859E3ED350B7C8722E4A8F9A3
  com.app.btsoft.app 843368F274898B9EF9CD3E952EEB16C4
  com.app.elipticsoft.app 336CE9CDF788228A71A3757558FAA012
  com.koinks.mobilpro 4C0B9A665A5A1F5DCCB67CC7EC18DA54
  
• Plurox: Modular backdoor - a new modular malware family which supports a number of crypto miner plugins depending on CPU/GPU capabilities of an infected system.
• Cryptocurrency-Mining Botnet Malware Arrives Through ADB and Spreads Through SSH - a new mobile malware sample targeting both x86 Linux hosts and Android devices. The malware was mostly discovered in South Korea.
  
  Indicators:
  45[.]67[.]14[.]179
  http://198[.]98[.]51[.]104:282

Research:

• ‘Move’ Programming Language: The Highlight of Libra - an interesting article into various security features offered by the Move smart contract programming language for the upcoming Libra cryptocurrency.
• Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques - a good survey of a variety of infection techniques used by malware to steal and mine crypto on compromised hosts.

That’s all for this week’s threat intelligence report. Stay safe and see you next week!