Home Malware Cryptominers and fileless PowerShell techniques make for a dangerous combo

Cryptominers and fileless PowerShell techniques make for a dangerous combo

by ethhack

Along with ransomware, cryptocurrency mining malware is one of the most common threats to enterprise systems. Just like with ransomware, the sophistication of cryptominers has grown over the years, incorporating attack vectors and techniques such as fileless execution, run-time compilation and reflective code injection that were once associated with advanced persistent threats (APTs).

Researchers from security firm Deep Instinct have recently come across a cryptominer infection on the systems of a large Asia-based company in the aviation industry. The attack, which deployed a new Monero cryptocurrency miner, used PowerShell, reflective PE injection, run-time code compilation and Tor for anonymity.

The malware arrived as an encoded PowerShell script that, when executed, set up a scheduled task to run at system setup and launch a second encoded PowerShell command. This secondary payload used a module called Invoke-ReflectivePEInjection from the PowerSploit and PowerShell Empire, two PowerShell-based exploitation frameworks, to extract code stored in the registry and inject it into its own running process.

“While run-time compilation is not new, it is becoming more and more prevalent with the rising popularity of file-less attacks, and can bear certain advantages for an attacker such as the avoidance of some of PowerShell’s protection mechanisms,” the Deep Instinct researchers said in a new report.

In particular, this malware is designed to patch the PowerShell process to disable the Antimalware Scan Interface (AMSI), a Windows 10 feature that blocks known malware from executing inside various components and applications, including inside PowerShell. Storing malicious code inside the registry instead of a file on disk, and then injecting it directly into the memory of legitimate processes is a technique that was first used in APT attacks to evade antivirus detection. Such fileless execution tactics are now common for a variety of malware threats, including ransomware.

In this case, the code stored inside the system registry consisted of two .DLL files — one for 32-bit systems and one for 64-bit ones — that implemented a Monero mining program. Once loaded, the cryptominer initiates communications with a series of Tor nodes, which likely serve as anonymizing proxies in order to hide the real location of their mining pools.

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment