Rewterz Threat Alert – Coronavirus-Themed Domain Hosts a Phishing Kit

April 7, 2020

Rewterz Threat Advisory – ICS: Advantech WebAccess/NMS Multiple Vulnerabilities

April 8, 2020

Rewterz Threat Alert – Coinminer Bundled with Zoom Installer

April 7, 2020

Severity

Medium

Analysis Summary

We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but unknowingly end up downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. Users who attempt to download the installer from random sources are at the risk of downloading the AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO. Below are the contents of the malicious file, including but not limited to the legitimate Zoom installer.

The 7-Zip archive file will soon be copied as CR_Debug_log.txt. 7-Zip archiver CL_Debug_log.txt is used to decompress this password-protected archive. The file gathers information such as Graphics Processing Unit (GPU) information using Windows Management Instrumentation (WMI queries), which is useful information for mining activities. It also collects details on CPU, system, operating system version, video controllers, and processors.
It also checks whether the Microsoft SmartScreen and Windows Defender are enabled and if the antivirus solutions listed below are running in the system:

Process Name	Antivirus solution
AvastUI.exe / AvastSvc.exe	Avast
avguix.exe / AVGUI.exe	AVG
avp.exe / avpui.exe	Kaspersky
dwengine.exe	Dr. Web
egui.exe / ekrn.exe	ESET NOD32
MBAMService.exe	Malwarebytes

The gathered info will be sent to hxxps://2no.co/1IRnc using HTTP GET request. To evade detection, helper.exe checks whether some processes are running. Aside from security tools, this list also includes other monitoring tools that can help detect mining activity. It will then spawn the Tor binaries to start with coinmining.

Impact

Coin mining
System power usage
Possible Denial of Service

Indicators of Compromise

Filename

asacpiex[.]dll
CR_Debug_Log[.]txt
CL_Debug_Log[.]txt

MD5

d28947e45827b68d6c5c2bf40a1c19b1
2880073f86a4b5144b57fce296e46345

SHA-256

04b560d234e8706d5e43532e9e674ee54ed6f63d62795fb0e5776e23da7eb4d8
d65e8a784c2ba0d9f7a029e1817b78b31324fb8c988e0467fd693b0efd890756

SHA1

2393a2585317007ad0a37d42beea229a8bcbeb6d
c7d271855c08231209d0e2194ba1120aaac1e387

URL

https[:]//2no[.]co/1IRnc
https[:]//2no[.]co/1O5aW

Remediation

IoCs should be blocked at their respective controls.
Users are advised to only download installers from applications’ official websites to avoid such compromise.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

LokiBot Malware – Active IOCs

WP-Automatic Plugin Flaw Used by Threat Actors to Create Admin Accounts on WordPress Sites

CVE-2024-21511 – Node.js mysql2 module Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us