• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2019-12636 – Cisco Small Business Smart and Managed Switches Cross-Site Request Forgery Vulnerability
January 28, 2020
Rewterz Threat Alert – Ryuk Ransomware – IOC’s
January 29, 2020

Rewterz Threat Alert – Vivin’s Cryptominers Spreading Through Pirated Software

January 28, 2020

Severity

Medium

Analysis Summary

A new threat actor, tracked as “Vivin,” is found conducting a long-term cryptomining campaign. The group is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.This actor used pirated software as an initial infection vector, masquerading their malware as popular software. Once the initial infection was completed “Vivin” quickly moved to common Windows tools. This actor has been successful pivoting their infrastructure and wallets as needed to maintain effectiveness. Vivin set their miners to utilize up to 80 percent of a system’s CPU resources.

Impact

  • Cryptocurrency mining
  • Slow system performance

Indicators of Compromise

Hostname

  • spoolsv[.]linkpc[.]net
  • mstsc[.]publicvm[.]com
  • mmc[.]publicvm[.]com
  • lsass[.]publicvm[.]com
  • csrss[.]publicvm[.]com
  • csrss[.]linkpc[.]net
  • www[.]m9c[.]net
  • ddl3[.]data[.]hu

MD5

  • b3e7aa693426736a592f3c9285f4d43f
  • 7461a1b47ce7d208ba092b1173877770
  • aeb6550fe0b4d7e84621bca174db8c75
  • afe892d48afb47428978892bf4fe65b7
  • fd820480df12caf43951f5f89f8deefc
  • 99f9f9bab13d4ebf030d6420fd776611
  • 2db6239d671016cb532975b2bb628e79
  • 3ae16e13c63ed3e7cd93cb7d2794cf98
  • 1f3528f48ae248a7f6bbe0b7ca194493
  • 768987f4b8dd8983b07824407e347797
  • 7a125adabc06ecc7c0d47a80d5efc16f
  • 1ba6b23a139f0f46c31f74b174f48be2
  • 52cd78b005e51ccce5ee5964ee326580
  • f0d6a0f3533541dec8e747c4f047e7f3
  • f531d573e5c6d5d0d07f949cb2b5b3b4
  • 5f7a3691420337a2edb87fb663cafd34

SHA-256

  • 31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f
  • 51f9a6d7574361bcf49962e2471a1d096db6c0d713ae07485b2791e74134513c
  • 9d7f2684a4efdb4738527d37b7995a40d819909d08e7443a6583231a1454b50b
  • 47928d09921466ddf1597e1ef7e8ac12397df7e616cd0c1710f4fa8a6384b439
  • 705646f923a2412757bae71b60de0fef31284756768a59ef2057eaee7dfafe9f
  • f476867d8152fcf0cb989b0e2c935db87c37162af33350874d671f99154752cf
  • 8b7c197efab6f6c40b51df125d00e3de211ebb5123ee876f1992f03401559cda
  • ea647990182d7d3ac82ff9b6c99ed70a10473da16bc55eadb76131f78ed65fb9
  • 5dc7239df2e9fb497335cc846e09dfdd024e7345c44a96693022bedd240954de
  • a115451603cf9687c8c46945432033a942b4cd46a4209868e226e25a1a2e0ee1
  • 5331924e1e5a634e55e7a3daaff3d5204eff50c4dc166d4d9d516510fb91fa4e
  • 4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2
  • 524fbc5fff1e91adcd4c72ce83b7f33fa424acefafb198f1701484cedc17c590
  • 79557c6d190d7daf34f10c7929facf56838ab27a5925f6f5197e1c0cbd660de3
  • da6908445649d30aff3f6ac9d9ec11c5f52c888c867ede766993c0fe731295fe
  • 8aa5d523158838bf58a80744f031192314215a3d4c32c4f8644f93370828825b

Source IP

  • 116[.]203[.]234[.]128
  • 116[.]203[.]29[.]111

URL

  • http[:]//csrss[.]publicvm[.]com[:]8094/Vre
  • http[:]//csrss[.]publicvm[.]com/Vre
  • http[:]//csrss[.]linkpc[.]net/Vre
  • http[:]//www[.]m9c[.]net[:]80/uploads/15621655811[.]jpg
  • http[:]//www[.]m9c[.]net/uploads/15723243711[.]png
  • http[:]//www[.]m9c[.]net/uploads/15572403801[.]jpg
  • http[:]//ddl3[.]data[.]hu/get/210358/11615096/Loader[.]jpg
  • http[:]//www[.]m9c[.]net/uploads/15743593161[.]jpg
  • http[:]//www[.]m9c[.]net/uploads/15723168051[.]png

Remediation

  • Block the threat indicators at their respective controls.
  • Prevent the use of pirated software on endpoints.
  • Enable systems resource monitoring for detecting excessive or abnormal resource usage on endpoints.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.