Week 25, 2019

Coinbase | Firefox | LoudMiner | Libra

No hacks reported this week but an alarming report came from Coinbase exchange about getting targeted by a spear-phishing campaign and two 0day exploits. Several new malware families were also reported including a clever miner hiding in a pirated copy of an audio synthesizer software.

News:

Bugs:

Malware:

  • LoudMiner: Cross‑platform mining in cracked VST software - a really interesting cryptominer sample which came bundled with pirated copies of VST software. VST (Virtual Studio Technology) is a resource intensive audio synthesizer making it ideal to mask mining software. The miner itself was bundled as a QEMU virtual machine making it easy to execute on a variety of platforms and providing a degree of obfuscation.

    Indicators:
    vstcrack[.]com (137[.]74.151.144)
    d-d[.]host (185[.]112.158.44)
    d-d[.]live (185[.]112.156.227)
    d-d[.]space (185[.]112.157.79)
    m-m[.]icu (185[.]112.157.118)
    (see the link above for additional indicators)

  • Malware sidesteps Google permissions policy with new 2FA bypass technique - a new Android malware sample capable of accessing one-time passwords (OTPs) in SMS 2FA messages bypassing previous SMS restrictions. The malware impersonates BtcTurk exchanges and designed to steal credentials for the service.

    Indicators:
    Android/FakeApp.KP
    btcturk.pro.beta 8C93CF8859E3ED350B7C8722E4A8F9A3
    com.app.btsoft.app 843368F274898B9EF9CD3E952EEB16C4
    com.app.elipticsoft.app 336CE9CDF788228A71A3757558FAA012
    com.koinks.mobilpro 4C0B9A665A5A1F5DCCB67CC7EC18DA54

  • Plurox: Modular backdoor - a new modular malware family which supports a number of crypto miner plugins depending on CPU/GPU capabilities of an infected system.

    Indicators:
    178.21[.]11.90
    185.146[.]157.143
    37.140[.]199.65
    194.58[.]92.63
    obuhov2k[.]beget[.]tech
    webdynamicname[.]com
    37.46[.]131.250
    188.93[.]210.42

  • Cryptocurrency-Mining Botnet Malware Arrives Through ADB and Spreads Through SSH - a new mobile malware sample targeting both x86 Linux hosts and Android devices. The malware was mostly discovered in South Korea.

    Indicators:
    45[.]67[.]14[.]179
    http://198[.]98[.]51[.]104:282

Research:

That’s all for this week’s threat intelligence report. Stay safe and see you next week!