• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Coronavirus-Themed Domain Hosts a Phishing Kit
April 7, 2020
Rewterz Threat Advisory – ICS: Advantech WebAccess/NMS Multiple Vulnerabilities
April 8, 2020

Rewterz Threat Alert – Coinminer Bundled with Zoom Installer

April 7, 2020

Severity

Medium

Analysis Summary

We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but unknowingly end up downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. Users who attempt to download the installer from random sources are at the risk of downloading the AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO. Below are the contents of the malicious file, including but not limited to the legitimate Zoom installer.

Figure-2-Zoom-1.jpg
Figure-3-Zoom.jpg

The 7-Zip archive file will soon be copied as CR_Debug_log.txt. 7-Zip archiver CL_Debug_log.txt is used to decompress this password-protected archive. The file gathers information such as Graphics Processing Unit (GPU) information using Windows Management Instrumentation (WMI queries), which is useful information for mining activities. It also collects details on CPU, system, operating system version, video controllers, and processors.
It also checks whether the Microsoft SmartScreen and Windows Defender are enabled and if the antivirus solutions listed below are running in the system:

Process NameAntivirus solution
AvastUI.exe / AvastSvc.exeAvast
avguix.exe / AVGUI.exeAVG
avp.exe / avpui.exeKaspersky
dwengine.exeDr. Web
egui.exe / ekrn.exeESET NOD32
MBAMService.exeMalwarebytes

The gathered info will be sent to hxxps://2no.co/1IRnc using HTTP GET request. To evade detection, helper.exe checks whether some processes are running. Aside from security tools, this list also includes other monitoring tools that can help detect mining activity. It will then spawn the Tor binaries to start with coinmining.

Impact

  • Coin mining 
  • System power usage
  • Possible Denial of Service

Indicators of Compromise

Filename

asacpiex[.]dll
CR_Debug_Log[.]txt
CL_Debug_Log[.]txt

MD5

  • d28947e45827b68d6c5c2bf40a1c19b1
  • 2880073f86a4b5144b57fce296e46345

SHA-256

  • 04b560d234e8706d5e43532e9e674ee54ed6f63d62795fb0e5776e23da7eb4d8
  • d65e8a784c2ba0d9f7a029e1817b78b31324fb8c988e0467fd693b0efd890756

SHA1

  • 2393a2585317007ad0a37d42beea229a8bcbeb6d
  • c7d271855c08231209d0e2194ba1120aaac1e387

URL

  • https[:]//2no[.]co/1IRnc
  • https[:]//2no[.]co/1O5aW

Remediation

  • IoCs should be blocked at their respective controls.
  • Users are advised to only download installers from applications’ official websites to avoid such compromise.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.