Rewterz Threat Alert – Coronavirus-Themed Domain Hosts a Phishing Kit
April 7, 2020Rewterz Threat Advisory – ICS: Advantech WebAccess/NMS Multiple Vulnerabilities
April 8, 2020Severity
Medium
Analysis Summary
We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but unknowingly end up downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. Users who attempt to download the installer from random sources are at the risk of downloading the AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO. Below are the contents of the malicious file, including but not limited to the legitimate Zoom installer.
The 7-Zip archive file will soon be copied as CR_Debug_log.txt. 7-Zip archiver CL_Debug_log.txt is used to decompress this password-protected archive. The file gathers information such as Graphics Processing Unit (GPU) information using Windows Management Instrumentation (WMI queries), which is useful information for mining activities. It also collects details on CPU, system, operating system version, video controllers, and processors.
It also checks whether the Microsoft SmartScreen and Windows Defender are enabled and if the antivirus solutions listed below are running in the system:
| Process Name | Antivirus solution |
| AvastUI.exe / AvastSvc.exe | Avast |
| avguix.exe / AVGUI.exe | AVG |
| avp.exe / avpui.exe | Kaspersky |
| dwengine.exe | Dr. Web |
| egui.exe / ekrn.exe | ESET NOD32 |
| MBAMService.exe | Malwarebytes |
The gathered info will be sent to hxxps://2no.co/1IRnc using HTTP GET request. To evade detection, helper.exe checks whether some processes are running. Aside from security tools, this list also includes other monitoring tools that can help detect mining activity. It will then spawn the Tor binaries to start with coinmining.
Impact
- Coin mining
- System power usage
- Possible Denial of Service
Indicators of Compromise
Filename
asacpiex[.]dll
CR_Debug_Log[.]txt
CL_Debug_Log[.]txt
MD5
- d28947e45827b68d6c5c2bf40a1c19b1
- 2880073f86a4b5144b57fce296e46345
SHA-256
- 04b560d234e8706d5e43532e9e674ee54ed6f63d62795fb0e5776e23da7eb4d8
- d65e8a784c2ba0d9f7a029e1817b78b31324fb8c988e0467fd693b0efd890756
SHA1
- 2393a2585317007ad0a37d42beea229a8bcbeb6d
- c7d271855c08231209d0e2194ba1120aaac1e387
URL
- https[:]//2no[.]co/1IRnc
- https[:]//2no[.]co/1O5aW
Remediation
- IoCs should be blocked at their respective controls.
- Users are advised to only download installers from applications’ official websites to avoid such compromise.