Rewterz Threat Alert – GoMiner Mutates and Spreads via Public Cloud Storage Providers
Severity
High
Analysis Summary
A family of Monero Miners is found spreading through cloud storage providers such as OneDrive, Google Drive and Dropbox. It also has the ability to mutate or change itself to try to avoid detection.This malware can also spread via removable drives.The volume of unique samples is relatively large, as more than 160,000 unique samples were submitted to VirusTotal over a period of 90 days.
This malware’s main objective is to mine Monero. It includes in its body a version of XMRig miner. The system infected with this malware will be noticeably slow, as the cryptominer will consume most of the CPU. It can spread itself via public cloud storage by dropping several copies of itself in “Public” folders. It looks for the availability of the following files before dropping itself in those directories:
%USERPROFILE%\Dropbox\Public
%USERPROFILE%\OneDrive\Public
%USERPROFILE%\Google Drive
When the above folders exist, it will drop a copy of itself with the following filenames:
USBDriver.exe
Installer.exe
Install.exe
Setup.exe
Each time this malware is executed, it looks for any executable file in the “Program Files” folder and replaces it with a mutated copy of itself. This means, whatever application it replaced will now become the GoMiner.