A new wave of attacks involving PCASTLE malware are targeting systems located in China with the XMRig cryptocurrency miner. On 17 May, Trend Micro first observed a series of attacks that use PCASTLE, an obfuscated PowerShell script, to target mainly China-based systems with XMRig, cryptomining malware was involved in numerous attacks in 2018. The security firm subsequently witnessed the campaign reach its peak on 22 May before leveling out. Additional analysis of the attacks provided a detailed view into their infection chain. Using various components for their propagation methods, the attacks use a scheduled task or RunOnce registry key to download the first-layer PowerShell script. This script tries to access a list of URLs so that it can retrieve a PowerShell command, execute it and save it as another scheduled task. At this stage, the scheduled task downloads and executes the second-layer PowerShell script, which reports information back to its command-and-control (C&C) server before loading the third-layer PowerShell script. It is this element that downloads the XMRig module, which it injects into its PowerShell process, as well as PCASTLE, which helps the campaign propagate to other potential victims using exploit code for EternalBlue, brute forcing capabilities and pass-the-hash techniques.
In its report of the campaign, Trend Micro said it's logical that those responsible for the attacks used a Monero miner like XMRig:
Their use of XMRig as their payload’s miner module is also not surprising. Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t require a lot of processing power. This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues.
Organizations can protect themselves against attacks such as the ones described above by disabling PowerShell, WMI and macros if they're not using them. They should also use a vulnerability management program to keep their software up-to-date. Additional security recommendations for organizations are available here.
