Abusing PowerShell to deliver malware isn’t new; it’s actually a prevalent technique that many fileless threats use. We regularly encounter these kinds of threats, and Trend Micro behavior monitoring technology proactively detects and blocks them. We have smart patterns, for instance, that actively detect scheduled tasks created by malicious PowerShell scripts. We also have network rules that detect, for example, indications of activities like Server Message Block (SMB) vulnerabilities being exploited, potential brute-force attempts, and illicit cryptocurrency mining-related communications.
With that said, a sudden spike of these activities is unusual to us. Feedback from our Smart Protection Network revealed that this recent wave of attacks were mostly targeting China-based systems. The attacks, which are still ongoing, were first observed on May 17; the attacks peaked on May 22 and has since steadied.
Further analysis of these activities led us to believe that these are a part of a campaign with a modus similar to a previous one that used an obfuscated PowerShell script (named PCASTLE) to deliver a Monero-mining malware. That earlier campaign, however, spread to other countries like Japan, Australia, Taiwan, Vietnam, Hong Kong, and India. Now, it appears to be retargeting China, similar to their first reported campaign.
This latest campaign has added a few new tricks. For one, it uses multiple propagation methods — using a variety of components doing different tasks — to deliver their cryptocurrency-mining malware. It now also uses a multilayered fileless approach, allowing the malicious PowerShell scripts to download payloads (with its arrival via a scheduled task) and execute them in memory only. The final PowerShell script, which is also executed in memory, packs all the malicious routines: using an SMB exploit (EternalBlue), brute-forcing the system, employing the pass-the-hash method, and downloading payloads.
Here is how the infection chain works:
The infection cycle continues as long as it finds systems to infect. The format of the downloaded PowerShell script when manually downloaded is:
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DelfateStream (&(New-Object IO.MemoryStream(,$([Convert]::FromBase64String(‘<Base64 encoded code>’)))), [IO.Copression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
The campaign mostly targets China, which makes up 92% of our detections. It doesn’t appear to be targeting a specific industry, probably due to the nature of the attacks’ propagation methods. Using an SMB exploit and brute-forcing weak passwords, for instance, aren’t industry-specific security issues. The campaign’s operators also do not seem to care who gets affected, as long as they get infected.
Their use of XMRig as their payload’s miner module is also not surprising. Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t require a lot of processing power. This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues.
The campaign uses two domains with varying URIs and sub-domains for varying purposes. Trend Micro web reputation solutions already block these:
The attackers’ motivations for concentrating their activities back on China-based systems are unclear. Nonetheless, this campaign showed that fileless threats aren’t going away. In fact, we project that fileless techniques will be among the most prevalent threats used in the current landscape. The tool is now open-source, which means it’s readily available for hackers. It’s also a legitimate system administration tool, which attackers can abuse to evade or bypass traditional security defenses. Given these risks, organizations that use this tool should adopt these best practices:
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs.
Indicators of Compromise (IoCs):
Hashes detected as Trojan.PS1.PCASTLE.D (SHA-256):
Detected as Coinminer.Win32.MALXMR.PCH (SHA-256):
The post Monero-Mining Malware PCASTLE Zeroes Back In on China, Now Uses Multilayered Fileless Arrival Techniques appeared first on .