Earlier this week, Mozilla released a fix for a critical vulnerability in Firefox that can lead to remote code execution. The vulnerability has been under active exploitation and a security researcher has discovered a piece of malware planted on a Mac during an attack on the Firefox bug, malware that bears a striking resemblance to a malware variant from 2012.
The vulnerability is a type confusion bug that occurs when Firefox handles some JavaScript objects. Mozilla patched the flaw on June 18 in Firefox 67.0.3, but by then it was already being used in targeted attacks. One of those attacks hit some employees of Coinbase, a cryptocurrency exchange, and the security team there was able to detect the attacks and figure out what was going on.
“On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day firefox sandbox escape, to target Coinbase employees,” Pihillip Martin, a member of Coinbase’s security team, said in a thread on Twitter.
“We walked back the entire attack, recovered and reported the 0-day to firefox, pulled apart the malware and infra used in the attack and are working with various orgs to continue burning down attacker infrastructure and digging into the attacker involved.”
Before that attack happened, a separate victim discovered his machine had been compromised using the same Firefox bug and found a piece of persistent malware had been installed. The victim sent the malware binary to Mac security researcher Patrick Wardle of Digita Security for analysis, and Wardle quickly discovered that while the binary had been submitted to the VirusTotal site, only one antimalware engine detected it, calling it OSX Netwire. That piece of malware first popped up in 2012 and was a password-stealing trojan back then. The new malware Wardle was looking at contained some identical strings as the older one, but the functionality of the two is different.
Wardle also discovered that Apple’s XProtect antimalware system, which is built into OS X, already had a signature that detected something called Netwire. The signature was added in 2016, long after the first iteration of Netwire was seen, and long before the recent version appeared.
“Interestingly Apple’s signature does not detect the sample from 2012 (as it does not contain the User-Agent: Mozilla... string). This is first (of many) indicator that these samples, while somehow related are unsurprisingly not the same,” Wardle said.
The newer version of Netwire uses two separate mechanisms in order to persist on the infected machine, and Wardle said he believes that both versions were written by the same person or team of people. The malware persists once as a launch agent and once as a login item, and Wardle points out that the Netwire malware was able to get around Apple’s Gatekeeper security system, as well.
“This is actually unsurprising as the malware was delivered by a remote 0day exploit. Gatekeeper only scans applications that have a quarantine attribute set. This is added by the application (i.e. browser) or OS only when the application is downloaded via normal means (i.e. by the user). Exploit code that downloads a payload (such as malicious application) will not set a quarantine attribute (or can remove it), thus will not trigger Gatekeeper!” Wardle said.