Technical Analysis & Remediation
MITRE ATT&CK Mapping
T1091
(Replication Through Removable Media)
T1068
(Exploitation for Privilege Escalation)
T1490
(Resource Hijacking)
T1562.001
(Impair Defenses: Disable or Modify Tools)
CVE Profile
CVE-2020-14979
NVD Score: 7.8
CISA KEV Status: Active
Telemetry
Hashes
bb97dfc3e5fb8109bd154c2b2b2959da (Orchestrator executable).
Executables/Processes
Microsoft Compatbility Telemetry.exe (Miner wrapper)
explorer.exe (Orchestrator)
msedge.exe (Watchdog)
ksomisc.exe (Watchdog)
wpsupdate.exe (Watchdog).
Command Line Arguments
002 Re:0 (Active infection mode)
016 (Maintenance mode)
barusu (Cleanup/Kill switch).
Target Driver
WinRing0x64.sys.
Constraint
The structure resembles a modular state-machine design where process termination triggers immediate resurrection by parallel watchdogs, creating a self-healing architecture.
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV) – Crisis Management & Oversight
Command
Enforce strict software inventory policies and security awareness training to eliminate the use of pirated or unverified software bundles.
DETECT (DE) – Monitoring & Analysis
Command
Deploy SIEM hunting queries for anomalous execution of explorer.exe running from non-standard directories or utilizing anomalous command-line parameters like 002 Re:0 or barusu.
Command
Alert on continuous CPU spikes aligning with the RandomX mining algorithm signature.
RESPOND (RS) – Mitigation & Containment
Command
Suspend all identified watchdog processes (msedge.exe, ksomisc.exe, Wpsupdate.exe) simultaneously via EDR to prevent the self-healing resurrection cycle before terminating the primary miner process (Microsoft Compatbility Telemetry.exe).
RECOVER (RC) – Restoration & Trust
Command
Validate system cleanliness by sweeping all connected external storage drives for hidden LNK files and dropped payloads.
IDENTIFY & PROTECT (ID/PR) – The Feedback Loop
Command
Enforce Microsoft's Vulnerable Driver Blocklist via Windows Defender Application Control (WDAC) to prevent the loading of WinRing0x64.sys and mitigate BYOVD exploitation.
Command
Implement Device Control policies to restrict executable payloads from running on removable media and restrict outbound connections to consumer-grade mining pools via web filtering.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
Disconnect from the internet immediately to severe connections to mining pools.
Command
Do not log into banking/email until verified clean.
Priority 2: Identity
Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G) in case of secondary infostealer payloads bundled with the pirated software.
Priority 3: Persistence
Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for any anomalous entries. If infected, back up essential files (verifying no hidden folders/shortcuts are copied) and perform a full system wipe and OS reinstall, as kernel-level exploitation completely compromises the operating system's integrity. Do not plug potentially infected USB drives into clean systems.
Hardening & References
Baseline
CIS Microsoft Windows Desktop Benchmarks (Enable memory integrity/HVCI, restrict removable media execution).
Framework
NIST CSF 2.0 / SP 800-61r3.
Threat Intelligence
Trellix Advanced Research Center
Cyber Security News
cybersecuritynews.com
