June 11, 2019 By David Bisson 2 min read

A fileless attack is leveraging PCASTLE to distribute samples of XMRig, a well-known Monero-mining malware family.

Trend Micro first observed the campaign on May 17 when it spotted a series of attacks targeting systems based in China. These attacks, which peaked on May 22 before leveling off, used a scheduled task or RunOnce registry key to download the first-stage PowerShell script. The script then searched for a URL inside of itself to download, execute and save a PowerShell command as a scheduled task.

At this stage in the infection chain, the scheduled task launched a PowerShell script that downloaded and executed the attacks’ second-stage PowerShell script. This asset then collected and reported system information to its command-and-control (C&C) server before downloading the third-stage PowerShell script. At this point, the attacks leveraged PCASTLE, an obfuscated PowerShell script to be used in additional propagation efforts and an XMRig module.

A Brief History of PCASTLE and XMRig Activity

XMRig has been a popular code base for cryptomining since the rise of this type of threat in mid-2017. In May 2018, ThreatPost reported on a new malware strain called WinstarNssmMiner that dropped XMRig as an additional payload under certain circumstances. A few months earlier, Palo Alto Networks found a large-scale operation that exposed as many as 15 million people to XMRig over a four-month period.

Both PCASTLE and XMRig have been active in recent months. In April 2019, Trend Micro spotted an attack campaign leveraging EternalBlue and PowerShell to target systems in Japan with PCASTLE and a Monero coin miner. Several months later, the security firm came across a new family of malware called BlackSquid that used eight notorious exploits to infect vulnerable machines with XMRig.

Protect Your Organization Against Monero-Mining Malware

Security professionals can help defend their organizations against Monero-mining malware like XMRig by disabling JavaScript in web browsers and restricting outbound calls to cryptomining pools as part of a general, concerted effort to defend against cryptocurrency miners. As always, ongoing security awareness training is critical to help the workforce avoid fileless attacks, including campaigns that leverage PowerShell to install malware.

More from

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of 2022…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

What should an AI ethics governance framework look like?

4 min read - While the race to achieve generative AI intensifies, the ethical debate surrounding the technology also continues to heat up. And the stakes keep getting higher.As per Gartner, “Organizations are responsible for ensuring that AI projects they develop, deploy or use do not have negative ethical consequences.” Meanwhile, 79% of executives say AI ethics is important to their enterprise-wide AI approach, but less than 25% have operationalized ethics governance principles.AI is also high on the list of United States government concerns.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today