March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – APT10 Group Targets Multiple Sectors in Multiple Countries, Including Finance, IT and Energy sectors
February 1, 2019
REWTERZ THREAT Advisory – LibreOffice and OpenOffice Remote Code Execution Vulnerability
February 6, 2019
Rewterz Threat Alert – APT10 Group Targets Multiple Sectors in Multiple Countries, Including Finance, IT and Energy sectors
February 1, 2019
REWTERZ THREAT Advisory – LibreOffice and OpenOffice Remote Code Execution Vulnerability
February 6, 2019
SEVERITY : Medium
CATEGORY: Cyber-crime
CookieMiner is a new malware strain ex-filtrating web browser cookies related to online wallet services and crypto-currency exchange websites. It’s able to peek through passwords, text messages, and credit card credentials on Mac devices, reports BleepingComputer. For a codified and secure communication, these attackers use EmPyre Backdoor for sending arbitrary commands to the target Macs post initial infection.
The attack starts with a shell script which starts collecting browser cookies associated with cryptocurrency and uploads them to a remote server. The Malware mines for cryptocurrencies including Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having a domain name associated with blockchain.
The malware extracts credit card information and login credentials through the data stored locally by both Apple’s Safari and Google’s Chrome. The malware is also designed to scan for wallet information.
IMPACT
- Steals Google Chrome and Apple Safari browser cookies from the victim’s machine
- Steals saved usernames and passwords in Chrome
- Steals saved credit card credentials in Chrome
- Steals iPhone’s text messages if backed up to Mac
- Steals cryptocurrency wallet data and keys
- Keeps full control of the victim using the EmPyre backdoor
- Mines cryptocurrency on the victim’s machine.
INDICATORS OF COMPROMISE
IP(s) / Hostname(s)
46.226.108[.]171
URLs
hxxps://ptpb[.]pw/OAZG
Filename
- OAZG
- com[.]apple[.]rig2[.]plist
- output[.]115113432[.]txt
- com[.]proxy[.]initialize[.]plist
- xmrig2
- harmlesslittlecode[.]py
- uploadminer[.]sh
Malware Hash (MD5/SHA1/SH256)
27ccebdda20264b93a37103f3076f6678c3446a2c2bfd8a73111dbc8c7eeeb71
91b3f5e5d3b4e669a49d9c4fc044d0025cabb8ebb08f8d1839b887156ae0d6dd
cdb2fb9c8e84f0140824403ec32a2431fb357cd0f184c1790152834cc3ad3c1b
ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05
c65e65207f6f9f8df05e02c893de5b3c04825ac67bec391f0b212f4f33a31e80
485c2301409a238affc713305dc1a465afa9a33696d58e8a84e881a552b82b06
Remediation
Block the threat indicators at their respective controls. Do not save any credentials on these browsers.