Home Monero Fileless Attack Campaign Leverages PCASTLE to Distribute XMRig Monero-Mining Malware – Security Intelligence

Fileless Attack Campaign Leverages PCASTLE to Distribute XMRig Monero-Mining Malware – Security Intelligence

5 min read
0
26

Fileless Attack Campaign Leverages PCASTLE to Distribute XMRig Monero-Mining Malware

A fileless attack is leveraging PCASTLE to distribute samples of XMRig, a well-known Monero-mining malware family.

Trend Micro first observed the campaign on May 17 when it spotted a series of attacks targeting systems based in China. These attacks, which peaked on May 22 before leveling off, used a scheduled task or RunOnce registry key to download the first-stage PowerShell script. The script then searched for a URL inside of itself to download, execute and save a PowerShell command as a scheduled task.

At this stage in the infection chain, the scheduled task launched a PowerShell script that downloaded and executed the attacks’ second-stage PowerShell script. This asset then collected and reported system information to its command-and-control (C&C) server before downloading the third-stage PowerShell script. At this point, the attacks leveraged PCASTLE, an obfuscated PowerShell script to be used in additional propagation efforts and an XMRig module.

A Brief History of PCASTLE and XMRig Activity

XMRig has been a popular code base for cryptomining since the rise of this type of threat in mid-2017. In May 2018, ThreatPost reported on a new malware strain called WinstarNssmMiner that dropped XMRig as an additional payload under certain circumstances. A few months earlier, Palo Alto Networks found a large-scale operation that exposed as many as 15 million people to XMRig over a four-month period.

Both PCASTLE and XMRig have been active in recent months. In April 2019, Trend Micro spotted an attack campaign leveraging EternalBlue and PowerShell to target systems in Japan with PCASTLE and a Monero coin miner. Several months later, the security firm came across a new family of malware called BlackSquid that used eight notorious exploits to infect vulnerable machines with XMRig.

Protect Your Organization Against Monero-Mining Malware

Security professionals can help defend their organizations against Monero-mining malware like XMRig by disabling JavaScript in web browsers and restricting outbound calls to cryptomining pools as part of a general, concerted effort to defend against cryptocurrency miners. As always, ongoing security awareness training is critical to help the workforce avoid fileless attacks, including campaigns that leverage PowerShell to install malware.

Contributor'photo

David Bisson

Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley…

Let’s block ads! (Why?)


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

BTC/USD technical analysis: Bitcoin breaks higher – Next stop 10K – Forex Crunch

BTC/USD daily chart Bitcoin is trading in a bull trend above its main daily simple moving …