Along with ransomware, cryptocurrency mining malware is one of the most common threats to enterprise systems. Just like with ransomware, the sophistication of cryptominers has grown over the years, incorporating attack vectors and techniques such as fileless execution, run-time compilation and reflective code injection that were once associated with advanced persistent threats (APTs).
Researchers from security firm Deep Instinct have recently come across a cryptominer infection on the systems of a large Asia-based company in the aviation industry. The attack, which deployed a new Monero cryptocurrency miner, used PowerShell, reflective PE injection, run-time code compilation and Tor for anonymity.
The malware arrived as an encoded PowerShell script that, when executed, set up a scheduled task to run at system setup and launch a second encoded PowerShell command. This secondary payload used a module called Invoke-ReflectivePEInjection from the PowerSploit and PowerShell Empire, two PowerShell-based exploitation frameworks, to extract code stored in the registry and inject it into its own running process.
“While run-time compilation is not new, it is becoming more and more prevalent with the rising popularity of file-less attacks, and can bear certain advantages for an attacker such as the avoidance of some of PowerShell’s protection mechanisms,” the Deep Instinct researchers said in a new report.
In particular, this malware is designed to patch the PowerShell process to disable the Antimalware Scan Interface (AMSI), a Windows 10 feature that blocks known malware from executing inside various components and applications, including inside PowerShell. Storing malicious code inside the registry instead of a file on disk, and then injecting it directly into the memory of legitimate processes is a technique that was first used in APT attacks to evade antivirus detection. Such fileless execution tactics are now common for a variety of malware threats, including ransomware.
In this case, the code stored inside the system registry consisted of two .DLL files -- one for 32-bit systems and one for 64-bit ones -- that implemented a Monero mining program. Once loaded, the cryptominer initiates communications with a series of Tor nodes, which likely serve as anonymizing proxies in order to hide the real location of their mining pools.
“During the past two years, cryptomining malware has been on a constant rise, featuring ever increasing levels of sophistication, utilizing advanced fileless techniques to attack targets in enterprise environments,” the Deep Instinct researchers said. “While analysis and research of this malware are still ongoing, in light of the above-mentioned findings, we are reasonably convinced that this a new, sophisticated cryptominer variant, fairly distinguishable from other previously documented malware of this type.”
Defending against PowerShell attacks
PowerShell is a powerful and useful system administration tool, but it has become a widely used attack vector in recent years, so it’s imperative for enterprises to limit its use on systems where it’s not needed or at the very least add logging and detection capabilities to it.
Microsoft recommends using PowerShell version 5, which has the most advanced logging features of all PowerShell versions. Unfortunately, even after installing version 5, PowerShell version 2 will still remain on the system and allow for downgrade attacks, so system administrators should make sure to remove this older version from their systems.
PowerShell can also be configured in what is called Constrained Language mode if the system’s users don’t need its full power. For administering remote servers, a limited shell mode known as Just Enough Administration (JEA) can be used.
Other effective mitigations involve configuring PowerShell to only allow the execution of digitally signed scripts and the use of the Windows 10’s AppLocker feature in order to validate scripts before they’re allowed to run.
Finally, if PowerShell is not needed on a system, it can be removed entirely. This will offer the best protection but is rarely practical because the tool is often needed to automate system administration tasks.