Rewterz Threat Alert – GoMiner Mutates and Spreads via Public Cloud Storage Providers

Severity

High

Analysis Summary

A family of Monero Miners is found spreading through cloud storage providers such as OneDrive, Google Drive and Dropbox. It also has the ability to mutate or change itself to try to avoid detection.This malware can also spread via removable drives.The volume of unique samples is relatively large, as more than 160,000 unique samples were submitted to VirusTotal over a period of 90 days. 

This malware’s main objective is to mine Monero. It includes in its body a version of XMRig miner. The system infected with this malware will be noticeably slow, as the cryptominer will consume most of the CPU. It can spread itself via public cloud storage by dropping several copies of itself in “Public” folders. It looks for the availability of the following files before dropping itself in those directories:

• %USERPROFILE%\Dropbox\Public
• %USERPROFILE%\OneDrive\Public
• %USERPROFILE%\Google Drive

When the above folders exist, it will drop a copy of itself with the following filenames:

• USBDriver.exe
• Installer.exe
• Install.exe
• Setup.exe

Each time this malware is executed, it looks for any executable file in the “Program Files” folder and replaces it with a mutated copy of itself. This means, whatever application it replaced will now become the GoMiner.

Impact

• Monero mining
• Detection evasion
• Slow system performance

Indicators of Compromise

Domain Name

• N73fu7[.]wayout[.]pictures
• Abrakadabra[.]host
• fh724[.]pikatchuworld[.]club

Filename

• USBDriver[.]exe
• Installer[.]exe
• Install[.]exe
• Setup[.]exe

MD5

• ee88495d0df3a3d28785041eafe64ef6
• de8a7baa14b88a5cd9d6fa156d233138
• 23d26ebc357c8f86147e5ac325688a6e
• ecf1f427b7fafb22a87ccc53f622261b
• bd89709470ae0489617480e68674e92a
• 655f622a0b060b5160e8fb459809d119
• 96179865b444641dd3be5209a87edb9b
• 82b3b0f4a15efdf93b19a4d403bd5751
• 05d37d8c0ebb4795efb237e8f0546d70
• fe858edab9787330f7b1bb6a3fa65e9e
• bcb23740c900a5d81ae3b7efae6c8d7c
• 999742ee595a819e7ccd7bdf4416bc90
• ae8e5c64532f94218808eaea6c9bdc87
• ea6d5ed5543e2850fe4c06d5f953787a
• d6c6741fca8af94655f62d107f33f00f
• 1ef8e54178f16bcedc76196e92241344
• 482b473ac7ddd2ed14e824cd3f99bf82
• fd833a447b9b5eca6fcf029bf893ffee
• 2e1e12dd9a84aaa7987602669844c232
• 37e8c8ca05fa36ef2b67309fe2284307
• db12508d6a5de7a1173c80b795e4ce5b
• 9445bddfd0c4a4af58f14a08e0b73ab0
• db00d12aa4827e39282754596103a5ab
• 710c0128ea5520b5750eda3c5f0e43e3
• a228ae843e7041a173a9b86d22439dc2
• 576fb081813217be1d38c03c5531c076
• 9194f9fa986aa336c71508f86e1886ab
• 359b1e92dacaa03d5464d8d895397c0e
• 4e13647f1d1263095d4f32d175efa149
• bf354de8d410d25785d95273209e28e7
• 86230919e4d7b3ba4da9a1af098e19cf
• c1d0dde6a4a1fea9f399655312dce2ec
• cb628918993eaf02d8845b8a23ded424
• 8620a5e5718732d8a5869b3391943b33
• 853a14c697fd652534f1dee42dabde9a

SHA-256

• ecdcc6273bd8ccbf2740a3e43caba81647d9abec14386d7df3a3e9f725b2493a
• 9c76815aa2612c6777ce9addbcc38601d2d44e0b0de8787cdb922b0218a765f4
• 3fc3a8c9ed96021927bcd2ec69a487d51b66d7e5d03d252cf6a0bae9074e0327
• cb8f3a0b35b985204d4f371b2f41510d503eeb1da1f51a5aee533f5ecc1b078b
• db3ce6b9ad58923db5e2a3137c40a59ab186f223483f696869d56a641b233062
• 51dccbe2d84e52a4b5e0cb13379d0c79fa3a03f01ea0119e7b19c174d5b0ead4
• 6a42e610c1adf2d347488ec2fd42127dd1e3ca667519f7ac0a0728118f9fc607
• f46b3e8885d75baff9ec81192feeef61f1f05826d900fb05518797aae9db7b79
• 25496ec3b287c215e7a802ee4b7aad20e9eac550a4e044fe68a937baff04a077
• 69e48b7fac8d4e318dc79adb67bb2b56c27b020fa92c86ac1b01b2c0fb50a62e
• 706f7bd0508a91905196fcfafedba742e9ec920e9e8dc4ba1e4d90cc279f6350
• 1f36c63d182c6348e233ff8601185b585aee77eaadaab10bc226ac9df47e5ee4
• 77f59a8bc999e3c368894332e37ae88b986ed67d3a16a1557373ba076527db44
• fb7fd2710279a64056cbf7b55fef5dbbaf598f0b5958c71f045749685edaa1c4
• ab3790c79cc449d865e2568f2a4f854883fe0792d37c17f0a5c082581bd5fd7b
• fd2b55482f3db95e0a0b4d8d563ce45d08a43b5692ac4eee5c61b6084678eb38
• 18a2213384ec97c2b51cda378688f34b143b83a0f005977b748cca18dae2f5cd
• 18623498d214284064336b5c49b6205de2b0724952d2cf45d819b4d034a3260b
• 68a6f1e34ab571772f8aa4699b2904b9eb05de5bd2224edee138e17f87898cd4
• 685223dda5556cda659cb4f5e89cde24b81c910a78b1bdeed008380dc1d62417
• 1a455a3291e996ef9f7e964695eb48646d223e588ccb1f355c06fc21b1052456
• 9c4d85811fd1347a155dca7b5ad4be2a08b3adf932849d4e8b1320bd339a772e
• ad01b428e35bf4b70b86d050dae8e4036791018608d70564ebfa5fec04027051
• 712939c0a69c74ba85ebab9a48c3fd2934b9cb5a3ff0a506f3a1944386a15755
• ad5c6dbc06422bc19682080fc2eb40e24ad7913836f7947ffc3d791ddf488d07
• 2e3c8c7eb64bb881fcb82f14a20a788221a17bc048ad58ca7702363986b9dfc7
• 5d4de43d56f18c0a69c126eff8a792c47192a4197a6ec5e1fa0333436fe4687b
• 504a44632664652d9fe9a27519194d2296f85905fc68341b30eb9f97b8c9cf01
• 271cb5b032376c6531f4f57fe17b4f9255ac2577b59320ad49f59e1f60cb4689
• a50e043fb25d68bb38deb38b8d31728c1ba2df3d68ac5cd0eed633f341485048
• 98e1b71ff1980c7e1484dedde2cc6f6e6eea842729405d925dd6855795a54197
• 66c77ed578dbdb6c5076a66098e330b1682a69ee361bc9746f33a12f53e3e29b
• 96e2bb8d289f25c3f0c61d08ea96bfc897ee95793121e5c5eafb41c4cc0aebf2
• ec3ffdfd40d9bef3c7ffe3dfd4838f42cddbd1981135d87e193dc18419f964a0
• aa2c806c3ff473185e2df94e265bb0886c030daefa6f378866282fba37942820

Source IP

35[.]156[.]248[.]16

Remediation

• Block the threat indicators at their respective controls.
• Avoid downloading unnecessary files from OneDrive, Google Drive and Dropbox.