Malware Watch - W/E - 2/1/19
CookieMiner Malware Targets Macs, Siphons Cryptocurrency Exchanges' Cookies (01/31/2019)
A new malware that is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service Web sites visited by the victims has been uncovered by Palo Alto Networks. "CookieMiner," which developed from the DarthMiner Mac malware, can also steal passwords saved in Chrome and swipe iPhone text messages from iTunes backups on the tethered Mac. It has the ability to configure the system to load coin mining software on the system.
A new malware that is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service Web sites visited by the victims has been uncovered by Palo Alto Networks. "CookieMiner," which developed from the DarthMiner Mac malware, can also steal passwords saved in Chrome and swipe iPhone text messages from iTunes backups on the tethered Mac. It has the ability to configure the system to load coin mining software on the system.
Cybercriminals Hide Malware in WordPress Theme License Key (01/30/2019)
Sucuri uncovered a hidden encoded spam injector malware on a WordPress Web site that had been formatted to look like a theme's license key. The attacker added the malware to a legitimate file to alleviate suspicion and Base64 was used to disguise it. "A license key is a place where a Webmaster might not expect to find an infection. The attacker formatted the encoded injector to look like a theme's license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code," Sucuri's Moe Obaid said.
Sucuri uncovered a hidden encoded spam injector malware on a WordPress Web site that had been formatted to look like a theme's license key. The attacker added the malware to a legitimate file to alleviate suspicion and Base64 was used to disguise it. "A license key is a place where a Webmaster might not expect to find an infection. The attacker formatted the encoded injector to look like a theme's license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code," Sucuri's Moe Obaid said.
So-Called Beauty Apps on Google Play Push Porn to Unsuspecting Users (01/30/2019)
Trend Micro spotted several beauty camera apps on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes. Some of these have been downloaded millions of times. The apps push several full screen ads when users unlock their devices, including malicious ads (such as fraudulent content and pornography) that will pop up via the user's browser. Google has since removed the malicious apps, which Trend Micro detected as detected as AndroidOS_BadCamera.HRX.
Trend Micro spotted several beauty camera apps on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes. Some of these have been downloaded millions of times. The apps push several full screen ads when users unlock their devices, including malicious ads (such as fraudulent content and pornography) that will pop up via the user's browser. Google has since removed the malicious apps, which Trend Micro detected as detected as AndroidOS_BadCamera.HRX.
Updated Remexi Malware Used by Chafer Cyberspy Operation (01/30/2019)
The Chafer cyber espionage campaign is using an updated Remexi malware variant that has the ability to exfiltrate keystrokes, screenshots, and browser-related data like cookies and history. The Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data. Chafer primarily targets foreign diplomatic entities based in Iran. Kaspersky Lab has published further information regarding the updated version of Remexi.
The Chafer cyber espionage campaign is using an updated Remexi malware variant that has the ability to exfiltrate keystrokes, screenshots, and browser-related data like cookies and history. The Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data. Chafer primarily targets foreign diplomatic entities based in Iran. Kaspersky Lab has published further information regarding the updated version of Remexi.