Rewterz Threat Alert – GandCrab Ransomware – IoCs
October 26, 2020Rewterz Threat Alert – Agent Tesla Phishing Campaign
October 26, 2020Rewterz Threat Alert – GandCrab Ransomware – IoCs
October 26, 2020Rewterz Threat Alert – Agent Tesla Phishing Campaign
October 26, 2020Severity
High
Analysis Summary
Three malware families are found exploiting XMRig miner for monetary gain. The first malware family discussed is dubbed “ransominer” due to its combined use of ransomware and crypto-mining. The infection chain involves a common Trojan installed on a victim’s machine with the purpose of installing administration programs, adding a new user, and opening RDP access. A ransomware payload is then executed, followed by the XMRig loader; at the same time the user is seeing the ransom note while Monero mining is being performed in the background. The second family discussed is the Prometei backdoor. After a few years in operation, it expanded its capabilities by also distributing XMRig. After brute-forcing MS SQL credentials and gaining access, PowerShell scripts are run and privileges are elevated. Purple Fox and Prometei are both installed on the host. Lastly, the XMRig miner is downloaded from the C2 server and executed. The third family is the Cliptomaner miner. This malware is similar to the other families but has the added functionality of replacing crypto-wallet addresses in the clipboard. Additionally, instead of being written in a compiled language, it is fully written in AutoIT.
Impact
- Privilege Escalation
- Denial of Service
- Credential Theft
- Unauthorized Resource Consumption
Indicators of Compromise
Domain Name
- srhost[.]xyz
- taskhostw[.]com
- 2fsdfsdgvsdvzxcwwef-defender[.]xyz
- svchost[.]xyz
- sihost[.]xyz
MD5
- 6ca170ece252721ed6cc3cfa3302d6f0
- 78f5094fa66a9aa4dc10470d5c3e3155
- 16b9c67bc36957062c17c0eff03b48f3
- 1273d0062a9c0a87e2b53e841b261976
- 1357b42546dc1d202aa9712f7b29aa0d
- d202d4a3f832a08cb8122d0154712dd1
SHA-256
- f3a23e5e9a7caefcc81cfe4ed8df93ff84d5d32c6c63cdbb09f41d84f56a4126
- b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7
SHA1
- cf475d6e172b54633479b3587e90dd82824ff051
- 7054d2c2231311991670c43ab2dba6d70cb6eb55
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Keep all systems and software updated to latest patched versions.
- Enable multi-factor authentication.