Fileless Assault Marketing campaign makes use of PCASTLE to distribute XMRig Monero mining malware
In a fileless attack, PCASTLE is used to distribute samples from XMRig, a well-known Monero mining malware family.
Trend Micro first observed the campaign on May 17 when it discovered a series of attacks on systems based in China. These attacks, which peaked on May 22nd before weakening, used a scheduled task or a RunOnce registry key to download the first stage PowerShell script. The script then looked for a URL in itself to download, run, and save a PowerShell command as a scheduled task.
At this point in the chain of infection, the scheduled task started a PowerShell script that was used to download and run the PowerShell script from the second stage of the attacks. This asset then gathered system information and reported it to its Command & Control (C&C) server before downloading the third stage PowerShell script. At this point, the attacks took advantage of PCASTLE, a disguised PowerShell script intended to be used for additional propagation efforts, and an XMRig module.
A brief history of PCASTLE and XMRig activities
XMRig has been a popular code base for cryptomining since this type of threat emerged in mid-2017. In May 2018, ThreatPost reported a new strain of malware called WinstarNssmMiner that was dropping XMRig as an additional payload under certain circumstances. A few months earlier, Palo Alto Networks had found a large-scale operation that had exposed up to 15 million people to XMRig over a four-month period.
Both PCASTLE and XMRig have been active for the past few months. In April 2019, Trend Micro discovered an attack campaign that used EternalBlue and PowerShell to target systems in Japan with PCASTLE and a Monero coin miner. A few months later, the security company came across a new family of malware called BlackSquid that used eight notorious exploits to infect vulnerable computers with XMRig.
Protect your organization from Monero mining malware
David Bisson is an Infosec news junkie and security journalist. He works as an editor for Graham Cluley Security News and as an associate editor for Trip …