A fileless attack is leveraging PCASTLE to distribute samples of XMRig, a well-known Monero-mining malware family.
Trend Micro first observed the campaign on May 17 when it spotted a series of attacks targeting systems based in China. These attacks, which peaked on May 22 before leveling off, used a scheduled task or RunOnce registry key to download the first-stage PowerShell script. The script then searched for a URL inside of itself to download, execute and save a PowerShell command as a scheduled task.
At this stage in the infection chain, the scheduled task launched a PowerShell script that downloaded and executed the attacks’ second-stage PowerShell script. This asset then collected and reported system information to its command-and-control (C&C) server before downloading the third-stage PowerShell script. At this point, the attacks leveraged PCASTLE, an obfuscated PowerShell script to be used in additional propagation efforts and an XMRig module.
A Brief History of PCASTLE and XMRig Activity
XMRig has been a popular code base for cryptomining since the rise of this type of threat in mid-2017. In May 2018, ThreatPost reported on a new malware strain called WinstarNssmMiner that dropped XMRig as an additional payload under certain circumstances. A few months earlier, Palo Alto Networks found a large-scale operation that exposed as many as 15 million people to XMRig over a four-month period.
Both PCASTLE and XMRig have been active in recent months. In April 2019, Trend Micro spotted an attack campaign leveraging EternalBlue and PowerShell to target systems in Japan with PCASTLE and a Monero coin miner. Several months later, the security firm came across a new family of malware called BlackSquid that used eight notorious exploits to infect vulnerable machines with XMRig.
Protect Your Organization Against Monero-Mining Malware