Rewterz Threat Advisory – CVE-2020-3142 – Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join
January 27, 2020Rewterz Threat Alert – Nice Try: 501 (Ransomware) Not Implemented
January 27, 2020Rewterz Threat Advisory – CVE-2020-3142 – Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join
January 27, 2020Rewterz Threat Alert – Nice Try: 501 (Ransomware) Not Implemented
January 27, 2020Severity
High
Analysis Summary
A family of Monero Miners is found spreading through cloud storage providers such as OneDrive, Google Drive and Dropbox. It also has the ability to mutate or change itself to try to avoid detection.This malware can also spread via removable drives.The volume of unique samples is relatively large, as more than 160,000 unique samples were submitted to VirusTotal over a period of 90 days.
This malware’s main objective is to mine Monero. It includes in its body a version of XMRig miner. The system infected with this malware will be noticeably slow, as the cryptominer will consume most of the CPU. It can spread itself via public cloud storage by dropping several copies of itself in “Public” folders. It looks for the availability of the following files before dropping itself in those directories:
- %USERPROFILE%\Dropbox\Public
- %USERPROFILE%\OneDrive\Public
- %USERPROFILE%\Google Drive
When the above folders exist, it will drop a copy of itself with the following filenames:
- USBDriver.exe
- Installer.exe
- Install.exe
- Setup.exe
Each time this malware is executed, it looks for any executable file in the “Program Files” folder and replaces it with a mutated copy of itself. This means, whatever application it replaced will now become the GoMiner.
Impact
- Monero mining
- Detection evasion
- Slow system performance
Indicators of Compromise
Domain Name
- N73fu7[.]wayout[.]pictures
- Abrakadabra[.]host
- fh724[.]pikatchuworld[.]club
Filename
- USBDriver[.]exe
- Installer[.]exe
- Install[.]exe
- Setup[.]exe
MD5
- ee88495d0df3a3d28785041eafe64ef6
- de8a7baa14b88a5cd9d6fa156d233138
- 23d26ebc357c8f86147e5ac325688a6e
- ecf1f427b7fafb22a87ccc53f622261b
- bd89709470ae0489617480e68674e92a
- 655f622a0b060b5160e8fb459809d119
- 96179865b444641dd3be5209a87edb9b
- 82b3b0f4a15efdf93b19a4d403bd5751
- 05d37d8c0ebb4795efb237e8f0546d70
- fe858edab9787330f7b1bb6a3fa65e9e
- bcb23740c900a5d81ae3b7efae6c8d7c
- 999742ee595a819e7ccd7bdf4416bc90
- ae8e5c64532f94218808eaea6c9bdc87
- ea6d5ed5543e2850fe4c06d5f953787a
- d6c6741fca8af94655f62d107f33f00f
- 1ef8e54178f16bcedc76196e92241344
- 482b473ac7ddd2ed14e824cd3f99bf82
- fd833a447b9b5eca6fcf029bf893ffee
- 2e1e12dd9a84aaa7987602669844c232
- 37e8c8ca05fa36ef2b67309fe2284307
- db12508d6a5de7a1173c80b795e4ce5b
- 9445bddfd0c4a4af58f14a08e0b73ab0
- db00d12aa4827e39282754596103a5ab
- 710c0128ea5520b5750eda3c5f0e43e3
- a228ae843e7041a173a9b86d22439dc2
- 576fb081813217be1d38c03c5531c076
- 9194f9fa986aa336c71508f86e1886ab
- 359b1e92dacaa03d5464d8d895397c0e
- 4e13647f1d1263095d4f32d175efa149
- bf354de8d410d25785d95273209e28e7
- 86230919e4d7b3ba4da9a1af098e19cf
- c1d0dde6a4a1fea9f399655312dce2ec
- cb628918993eaf02d8845b8a23ded424
- 8620a5e5718732d8a5869b3391943b33
- 853a14c697fd652534f1dee42dabde9a
SHA-256
- ecdcc6273bd8ccbf2740a3e43caba81647d9abec14386d7df3a3e9f725b2493a
- 9c76815aa2612c6777ce9addbcc38601d2d44e0b0de8787cdb922b0218a765f4
- 3fc3a8c9ed96021927bcd2ec69a487d51b66d7e5d03d252cf6a0bae9074e0327
- cb8f3a0b35b985204d4f371b2f41510d503eeb1da1f51a5aee533f5ecc1b078b
- db3ce6b9ad58923db5e2a3137c40a59ab186f223483f696869d56a641b233062
- 51dccbe2d84e52a4b5e0cb13379d0c79fa3a03f01ea0119e7b19c174d5b0ead4
- 6a42e610c1adf2d347488ec2fd42127dd1e3ca667519f7ac0a0728118f9fc607
- f46b3e8885d75baff9ec81192feeef61f1f05826d900fb05518797aae9db7b79
- 25496ec3b287c215e7a802ee4b7aad20e9eac550a4e044fe68a937baff04a077
- 69e48b7fac8d4e318dc79adb67bb2b56c27b020fa92c86ac1b01b2c0fb50a62e
- 706f7bd0508a91905196fcfafedba742e9ec920e9e8dc4ba1e4d90cc279f6350
- 1f36c63d182c6348e233ff8601185b585aee77eaadaab10bc226ac9df47e5ee4
- 77f59a8bc999e3c368894332e37ae88b986ed67d3a16a1557373ba076527db44
- fb7fd2710279a64056cbf7b55fef5dbbaf598f0b5958c71f045749685edaa1c4
- ab3790c79cc449d865e2568f2a4f854883fe0792d37c17f0a5c082581bd5fd7b
- fd2b55482f3db95e0a0b4d8d563ce45d08a43b5692ac4eee5c61b6084678eb38
- 18a2213384ec97c2b51cda378688f34b143b83a0f005977b748cca18dae2f5cd
- 18623498d214284064336b5c49b6205de2b0724952d2cf45d819b4d034a3260b
- 68a6f1e34ab571772f8aa4699b2904b9eb05de5bd2224edee138e17f87898cd4
- 685223dda5556cda659cb4f5e89cde24b81c910a78b1bdeed008380dc1d62417
- 1a455a3291e996ef9f7e964695eb48646d223e588ccb1f355c06fc21b1052456
- 9c4d85811fd1347a155dca7b5ad4be2a08b3adf932849d4e8b1320bd339a772e
- ad01b428e35bf4b70b86d050dae8e4036791018608d70564ebfa5fec04027051
- 712939c0a69c74ba85ebab9a48c3fd2934b9cb5a3ff0a506f3a1944386a15755
- ad5c6dbc06422bc19682080fc2eb40e24ad7913836f7947ffc3d791ddf488d07
- 2e3c8c7eb64bb881fcb82f14a20a788221a17bc048ad58ca7702363986b9dfc7
- 5d4de43d56f18c0a69c126eff8a792c47192a4197a6ec5e1fa0333436fe4687b
- 504a44632664652d9fe9a27519194d2296f85905fc68341b30eb9f97b8c9cf01
- 271cb5b032376c6531f4f57fe17b4f9255ac2577b59320ad49f59e1f60cb4689
- a50e043fb25d68bb38deb38b8d31728c1ba2df3d68ac5cd0eed633f341485048
- 98e1b71ff1980c7e1484dedde2cc6f6e6eea842729405d925dd6855795a54197
- 66c77ed578dbdb6c5076a66098e330b1682a69ee361bc9746f33a12f53e3e29b
- 96e2bb8d289f25c3f0c61d08ea96bfc897ee95793121e5c5eafb41c4cc0aebf2
- ec3ffdfd40d9bef3c7ffe3dfd4838f42cddbd1981135d87e193dc18419f964a0
- aa2c806c3ff473185e2df94e265bb0886c030daefa6f378866282fba37942820
Source IP
35[.]156[.]248[.]16
Remediation
- Block the threat indicators at their respective controls.
- Avoid downloading unnecessary files from OneDrive, Google Drive and Dropbox.