A spike of attacks taking place in China has revealed a renewed cryptojacking campaign which is employing fileless attacks to drain victim system power in order to mine for Monero.
Trend Micro researchers
said on Wednesday that the campaign, dubbed PCASTLE, is ongoing, while the peak of activity so far was previously registered on May 22. In total, 92 percent of infections are in China and the operators behind PCASTLE do not appear to be focusing on particular industries or victims. "The campaign's operators also do not seem to care who gets affected, as long as they get infected," the researchers say.
PCASTLE makes use of multiple propagation methods to ensure infection. This includes exploiting the
EternalBlueMicrosoft Windows SMB exploit, brute-force credential attacks, and what is known as a "pass the hash" technique -- the use of stolen hashed user credentials to trick an authentication system without needing to crack the information.
If one of these methods succeed, either a scheduled task or RunOnce registry key is executed to download the campaign's first payload, a malicious PowerShell script.This script is able to download additional payloads and execute them in memory only, a fileless approach which can make detection of the malware more difficult by traditional antivirus products.
In addition, the PowerShell script will attempt to access a list of URLs coded within the script, will create scheduled tasks on an hourly basis to maintain persistence, and furthermore will download another script for communicating with the operator's command-and-control (C2) server.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
