Malware
Monero-Mining Malware PCASTLE Uses Fileless Techniques
Abusing PowerShell to deliver malware isn’t new; it's actually a prevalent technique that many fileless threats use. We regularly encounter these kinds of threats, and Trend Micro behavior monitoring technology proactively detects and blocks them.
Abusing PowerShell to deliver malware isn’t new; it's actually a prevalent technique that many fileless threats use. We regularly encounter these kinds of threats, and Trend Micro behaviour monitoring technology proactively detects and blocks them. We have smart patterns, for instance, that actively detect scheduled tasks created by malicious PowerShell scripts. We also have network rules that detect, for example, indications of activities like Server Message Block (SMB) vulnerabilities being exploited, potential brute-force attempts, and illicit cryptocurrency mining-related communications.
With that said, a sudden spike of these activities is unusual to us. Feedback from our Smart Protection Network™ revealed that this recent wave of attacks were mostly targeting China-based systems. The attacks, which are still ongoing, were first observed on May 17; the attacks peaked on May 22 and has since steadied.
Further analysis of these activities led us to believe that these are a part of a campaign with a modus similar to a previous one that used an obfuscated PowerShell script (named PCASTLE) to deliver a Monero-mining malware. That earlier campaign, however, spread to other countries like Japan, Australia, Taiwan, Vietnam, Hong Kong, and India. Now, it appears to be retargeting China, similar to their first reported campaign.
This latest campaign has added a few new tricks. For one, it uses multiple propagation methods — using a variety of components doing different tasks — to deliver their cryptocurrency-mining malware. It now also uses a multilayered fileless approach, allowing the malicious PowerShell scripts to download payloads (with its arrival via a scheduled task) and execute them in memory only. The final PowerShell script, which is also executed in memory, packs all the malicious routines: using an SMB exploit (EternalBlue), brute-forcing the system, employing the pass-the-hash method, and downloading payloads.
Infection chain of the latest Monero-mining malware campaign
Attack chain
Here is how the infection chain works:
- Once any of the propagation methods succeed, either a scheduled task or RunOnce registry key is executed to download the first-layer PowerShell script.
- The first-layer PowerShell script will try to access a list of URLs inside the script. It will download the PowerShell command, execute it, and save it as another scheduled task (hourly).
- The scheduled task will execute a PowerShell script that will download and execute the second-layer PowerShell Script. It will report system information to its command-and-control (C&C) server before downloading and executing the third-layer PowerShell script.
- The system information sent to the C&C server includes the computer name, GUID, MAC address, OS, architecture, and timestamp.
- It sends the information in this format: {url}?ID={ComputerName}&GUID={guid}&MAC={MacAddr}&OS={OS}&BIT={Architecture}&_T={Timestamp}.
- The C&C communication uses a unique User Agent for the connection (six random characters are included): “Lemon-Duck-{random}-{random}.
- The third-layer PowerShell script will download the cryptocurrency mining module based on the reported system information, which is then injected into its own PowerShell process using another publicly available codem, Invoke-ReflectivePEInjection. It will also download the PCASTLE script component responsible for the other routines like propagation. The campaign uses propagation methods that are similar to the previous campaign, but packed into a single PowerShell script (PCASTLE). It uses the EternalBlue exploit, brute force, and pass-the-hash technique.
The infection cycle continues as long as it finds systems to infect. The format of the downloaded PowerShell script when manually downloaded is:
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DelfateStream (&(New-Object IO.MemoryStream(,$([Convert]::FromBase64String(‘<Base64 encoded code>’)))), [IO.Copression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
The Campaign
The campaign mostly targets China, which makes up 92% of our detections. It doesn’t appear to be targeting a specific industry, probably due to the nature of the attacks’ propagation methods. Using an SMB exploit and brute-forcing weak passwords, for instance, aren’t industry-specific security issues. The campaign’s operators also do not seem to care who gets affected, as long as they get infected.
Their use of XMRig as their payload’s miner module is also not surprising. Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t require a lot of processing power. This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues.
The campaign uses two domains with varying URIs and sub-domains for varying purposes. Trend Micro web reputation solutions already block these:
- t[.]zer2[.]com/{uri} – Used to download the layered PowerShell scripts and reporting system information
- down[.]ackng[.]com – Used to download the URL of the miner payload
- lpp[.]zer2[.]com:443 – The payload’s mining pool
- lpp[.]ackng[.]com:443 – The second mining pool
Best Practices
The attackers’ motivations for concentrating their activities back on China-based systems are unclear. Nonetheless, this campaign showed that fileless threats aren’t going away. In fact, we project that fileless techniques will be amongst the most prevalent threats used in the current landscape. The tool is now open-source, which means it's readily available for hackers. It’s also a legitimate system administration tool, which attackers can abuse to evade or bypass traditional security defences. Given these risks, organisations that use this tool should adopt these best practices:
- Implement defence in depth. Deploying additional security mechanisms such as behaviour monitoring to detect and prevent anomalous routines or unauthorised programmes or scripts from running. Sandboxes help by containing malicious scripts and shellcode, while firewalls and intrusion prevention systems can thwart malware-related traffic.
- Patch and update systems. This campaign, for instance, uses an exploit for a vulnerability for which a patch is already available. Employing virtual patching in legacy or embedded systems is also recommended.
- Limit access to system administration tools. Threats are increasingly using legitimate tools to evade detection, which is why it’s important to restrict their use to those who need it.
- Harden system security. Authentication and encryption mechanisms help prevent unauthorised modification to targeted systems, while strengthening their account credentials mitigate brute-force and dictionary attacks.
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions, which have behaviour monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs.
Indicators of Compromise (IoCs)
Hashes detected as Trojan.PS1.PCASTLE.D (SHA-256):
- 90c80135f1d8030437785coe25ab1297e4c895c7f74b92bdb609b66cdb41de8fd
- ef8505ffb1526d36b05da851e50e27f87e35131e40a03095ace1b55b7662de9c
- 33d94fcf397d36aec8df8d55c378b13bb4509f41975ebb835708e3a4cdae749b3
- 1cff6e4e3bac810f22f27ac5e6b13012ebed27bbace1544e38c09fefb2a7e7c9
Detected as Coinminer.Win32.MALXMR.PCH (SHA-256):
- 4e4015a1c9c6327fdf18a4e41a0586f5083e055bbc93f260d58da2897bddea45