Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – APT10 Group Targets Multiple Sectors in Multiple Countries, Including Finance, IT and Energy sectors
February 1, 2019REWTERZ THREAT Advisory – LibreOffice and OpenOffice Remote Code Execution Vulnerability
February 6, 2019
SEVERITY : Medium
CATEGORY: Cyber-crime
CookieMiner is a new malware strain ex-filtrating web browser cookies related to online wallet services and crypto-currency exchange websites. It’s able to peek through passwords, text messages, and credit card credentials on Mac devices, reports BleepingComputer. For a codified and secure communication, these attackers use EmPyre Backdoor for sending arbitrary commands to the target Macs post initial infection.
The attack starts with a shell script which starts collecting browser cookies associated with cryptocurrency and uploads them to a remote server. The Malware mines for cryptocurrencies including Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having a domain name associated with blockchain.
The malware extracts credit card information and login credentials through the data stored locally by both Apple’s Safari and Google’s Chrome. The malware is also designed to scan for wallet information.
IMPACT
- Steals Google Chrome and Apple Safari browser cookies from the victim’s machine
- Steals saved usernames and passwords in Chrome
- Steals saved credit card credentials in Chrome
- Steals iPhone’s text messages if backed up to Mac
- Steals cryptocurrency wallet data and keys
- Keeps full control of the victim using the EmPyre backdoor
- Mines cryptocurrency on the victim’s machine.
INDICATORS OF COMPROMISE
IP(s) / Hostname(s)
46.226.108[.]171
URLs
hxxps://ptpb[.]pw/OAZG
Filename
- OAZG
- com[.]apple[.]rig2[.]plist
- output[.]115113432[.]txt
- com[.]proxy[.]initialize[.]plist
- xmrig2
- harmlesslittlecode[.]py
- uploadminer[.]sh
Malware Hash (MD5/SHA1/SH256)
27ccebdda20264b93a37103f3076f6678c3446a2c2bfd8a73111dbc8c7eeeb71
91b3f5e5d3b4e669a49d9c4fc044d0025cabb8ebb08f8d1839b887156ae0d6dd
cdb2fb9c8e84f0140824403ec32a2431fb357cd0f184c1790152834cc3ad3c1b
ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05
c65e65207f6f9f8df05e02c893de5b3c04825ac67bec391f0b212f4f33a31e80
485c2301409a238affc713305dc1a465afa9a33696d58e8a84e881a552b82b06
Remediation
Block the threat indicators at their respective controls. Do not save any credentials on these browsers.