• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-3142 – Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join
January 27, 2020
Rewterz Threat Alert – Nice Try: 501 (Ransomware) Not Implemented
January 27, 2020

Rewterz Threat Alert – GoMiner Mutates and Spreads via Public Cloud Storage Providers

January 27, 2020

Severity

High

Analysis Summary

A family of Monero Miners is found spreading through cloud storage providers such as OneDrive, Google Drive and Dropbox. It also has the ability to mutate or change itself to try to avoid detection.This malware can also spread via removable drives.The volume of unique samples is relatively large, as more than 160,000 unique samples were submitted to VirusTotal over a period of 90 days. 

GoMiner (1).png

This malware’s main objective is to mine Monero. It includes in its body a version of XMRig miner. The system infected with this malware will be noticeably slow, as the cryptominer will consume most of the CPU. It can spread itself via public cloud storage by dropping several copies of itself in “Public” folders. It looks for the availability of the following files before dropping itself in those directories:

  • %USERPROFILE%\Dropbox\Public
  • %USERPROFILE%\OneDrive\Public
  • %USERPROFILE%\Google Drive

When the above folders exist, it will drop a copy of itself with the following filenames:

  • USBDriver.exe
  • Installer.exe
  • Install.exe
  • Setup.exe

Each time this malware is executed, it looks for any executable file in the “Program Files” folder and replaces it with a mutated copy of itself. This means, whatever application it replaced will now become the GoMiner.

Impact

  • Monero mining
  • Detection evasion
  • Slow system performance

Indicators of Compromise

Domain Name

  • N73fu7[.]wayout[.]pictures
  • Abrakadabra[.]host
  • fh724[.]pikatchuworld[.]club

Filename

  • USBDriver[.]exe
  • Installer[.]exe
  • Install[.]exe
  • Setup[.]exe

MD5

  • ee88495d0df3a3d28785041eafe64ef6
  • de8a7baa14b88a5cd9d6fa156d233138
  • 23d26ebc357c8f86147e5ac325688a6e
  • ecf1f427b7fafb22a87ccc53f622261b
  • bd89709470ae0489617480e68674e92a
  • 655f622a0b060b5160e8fb459809d119
  • 96179865b444641dd3be5209a87edb9b
  • 82b3b0f4a15efdf93b19a4d403bd5751
  • 05d37d8c0ebb4795efb237e8f0546d70
  • fe858edab9787330f7b1bb6a3fa65e9e
  • bcb23740c900a5d81ae3b7efae6c8d7c
  • 999742ee595a819e7ccd7bdf4416bc90
  • ae8e5c64532f94218808eaea6c9bdc87
  • ea6d5ed5543e2850fe4c06d5f953787a
  • d6c6741fca8af94655f62d107f33f00f
  • 1ef8e54178f16bcedc76196e92241344
  • 482b473ac7ddd2ed14e824cd3f99bf82
  • fd833a447b9b5eca6fcf029bf893ffee
  • 2e1e12dd9a84aaa7987602669844c232
  • 37e8c8ca05fa36ef2b67309fe2284307
  • db12508d6a5de7a1173c80b795e4ce5b
  • 9445bddfd0c4a4af58f14a08e0b73ab0
  • db00d12aa4827e39282754596103a5ab
  • 710c0128ea5520b5750eda3c5f0e43e3
  • a228ae843e7041a173a9b86d22439dc2
  • 576fb081813217be1d38c03c5531c076
  • 9194f9fa986aa336c71508f86e1886ab
  • 359b1e92dacaa03d5464d8d895397c0e
  • 4e13647f1d1263095d4f32d175efa149
  • bf354de8d410d25785d95273209e28e7
  • 86230919e4d7b3ba4da9a1af098e19cf
  • c1d0dde6a4a1fea9f399655312dce2ec
  • cb628918993eaf02d8845b8a23ded424
  • 8620a5e5718732d8a5869b3391943b33
  • 853a14c697fd652534f1dee42dabde9a

SHA-256

  • ecdcc6273bd8ccbf2740a3e43caba81647d9abec14386d7df3a3e9f725b2493a
  • 9c76815aa2612c6777ce9addbcc38601d2d44e0b0de8787cdb922b0218a765f4
  • 3fc3a8c9ed96021927bcd2ec69a487d51b66d7e5d03d252cf6a0bae9074e0327
  • cb8f3a0b35b985204d4f371b2f41510d503eeb1da1f51a5aee533f5ecc1b078b
  • db3ce6b9ad58923db5e2a3137c40a59ab186f223483f696869d56a641b233062
  • 51dccbe2d84e52a4b5e0cb13379d0c79fa3a03f01ea0119e7b19c174d5b0ead4
  • 6a42e610c1adf2d347488ec2fd42127dd1e3ca667519f7ac0a0728118f9fc607
  • f46b3e8885d75baff9ec81192feeef61f1f05826d900fb05518797aae9db7b79
  • 25496ec3b287c215e7a802ee4b7aad20e9eac550a4e044fe68a937baff04a077
  • 69e48b7fac8d4e318dc79adb67bb2b56c27b020fa92c86ac1b01b2c0fb50a62e
  • 706f7bd0508a91905196fcfafedba742e9ec920e9e8dc4ba1e4d90cc279f6350
  • 1f36c63d182c6348e233ff8601185b585aee77eaadaab10bc226ac9df47e5ee4
  • 77f59a8bc999e3c368894332e37ae88b986ed67d3a16a1557373ba076527db44
  • fb7fd2710279a64056cbf7b55fef5dbbaf598f0b5958c71f045749685edaa1c4
  • ab3790c79cc449d865e2568f2a4f854883fe0792d37c17f0a5c082581bd5fd7b
  • fd2b55482f3db95e0a0b4d8d563ce45d08a43b5692ac4eee5c61b6084678eb38
  • 18a2213384ec97c2b51cda378688f34b143b83a0f005977b748cca18dae2f5cd
  • 18623498d214284064336b5c49b6205de2b0724952d2cf45d819b4d034a3260b
  • 68a6f1e34ab571772f8aa4699b2904b9eb05de5bd2224edee138e17f87898cd4
  • 685223dda5556cda659cb4f5e89cde24b81c910a78b1bdeed008380dc1d62417
  • 1a455a3291e996ef9f7e964695eb48646d223e588ccb1f355c06fc21b1052456
  • 9c4d85811fd1347a155dca7b5ad4be2a08b3adf932849d4e8b1320bd339a772e
  • ad01b428e35bf4b70b86d050dae8e4036791018608d70564ebfa5fec04027051
  • 712939c0a69c74ba85ebab9a48c3fd2934b9cb5a3ff0a506f3a1944386a15755
  • ad5c6dbc06422bc19682080fc2eb40e24ad7913836f7947ffc3d791ddf488d07
  • 2e3c8c7eb64bb881fcb82f14a20a788221a17bc048ad58ca7702363986b9dfc7
  • 5d4de43d56f18c0a69c126eff8a792c47192a4197a6ec5e1fa0333436fe4687b
  • 504a44632664652d9fe9a27519194d2296f85905fc68341b30eb9f97b8c9cf01
  • 271cb5b032376c6531f4f57fe17b4f9255ac2577b59320ad49f59e1f60cb4689
  • a50e043fb25d68bb38deb38b8d31728c1ba2df3d68ac5cd0eed633f341485048
  • 98e1b71ff1980c7e1484dedde2cc6f6e6eea842729405d925dd6855795a54197
  • 66c77ed578dbdb6c5076a66098e330b1682a69ee361bc9746f33a12f53e3e29b
  • 96e2bb8d289f25c3f0c61d08ea96bfc897ee95793121e5c5eafb41c4cc0aebf2
  • ec3ffdfd40d9bef3c7ffe3dfd4838f42cddbd1981135d87e193dc18419f964a0
  • aa2c806c3ff473185e2df94e265bb0886c030daefa6f378866282fba37942820

Source IP

35[.]156[.]248[.]16

Remediation

  • Block the threat indicators at their respective controls.
  • Avoid downloading unnecessary files from OneDrive, Google Drive and Dropbox.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.