• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – TA428 Group Taking Advantage of Recent Conflict between Iran and USA
January 13, 2020
Rewterz Threat Advisory – CVE-2020-3940 – VMware Workspace ONE SDK information disclosure Vulnerability
January 13, 2020

Rewterz Threat Alert – Active Cryptomining Worm

January 13, 2020

Severity

High

Analysis Summary

An active cryptomining worm attack installing a cryptominer. These attacks appear to be targeting vulnerable Exim, Confluence, and WebLogic servers. After the system is compromised, a deployment BASH script is downloaded and executed. If the system is already infected, the script terminates the mining processes. It then checks the known_hosts file for other potential hosts to infect. Next it downloads an ELF binary named “omelette” and another BASH script called “sesame”. Downloading takes place through wget, curl, python2/3, or php, whichever is available on the infected system. Infection can take place on x86, x86-64, and AArch64 architectures and appropriate binaries are available for each. A cron job that runs sesame every five minutes provides persistence. If the system utilizes systemd, a service called “cloud-agent” is created as well. The miner deployed is a modified version of an open-source XMRig Monero miner.

Impact

  • Theft of Cryptocurrency
  • Network-wide infection 
  • Financial loss

Indicators of Compromise

IP

  • 51[.]15[.]56[.]161
  • 51[.]38[.]133[.]232

MD5

  • 21a9cac30458fb4dbf190df3edea965a
  • b120c895e8e78102b1ee1904ace11899
  • c6f69418ed39df7557a3d4c07793a923

SHA-256

  • 716042b8e32cfb364b04c4e068a37a8e60c928e4fd32c894282c5d658c138684
  • e2964214fdbfb51d5b33944cc9ca05821518a4bad01f750cee8f0d00f68a6176
  • f00258815853f767d70897db7263f740b161c39ee50c46c26ab247afb824459a

SHA1

  • 84a8a72ba58851c2810204f0ec444fec0ab7f895
  • 2bd781029bd373f45ff0965c81c543d15014d2eb
  • 81815d6a730a891d377d4f128ca3d66379bb76c8

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Keep all software updated to latest patched versions against known security vulnerabilities.



  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.