Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
184 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

The Pulse of Fileless Cryptojacking Attacks: Malicious PowerShell Scripts (2401.07995v2)

Published 15 Jan 2024 in cs.CR

Abstract: Fileless malware predominantly relies on PowerShell scripts, leveraging the native capabilities of Windows systems to execute stealthy attacks that leave no traces on the victim's system. The effectiveness of the fileless method lies in its ability to remain operational on victim endpoints through memory execution, even if the attacks are detected, and the original malicious scripts are removed. Threat actors have increasingly utilized this technique, particularly since 2017, to conduct cryptojacking attacks. With the emergence of new Remote Code Execution (RCE) vulnerabilities in ubiquitous libraries, widespread cryptocurrency mining attacks have become prevalent, often employing fileless techniques. This paper provides a comprehensive analysis of PowerShell scripts of fileless cryptojacking, dissecting the common malicious patterns based on the MITRE ATT&CK framework.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (40)
  1. D. Hendler, S. Kels, and A. Rubin, “Amsi-based detection of malicious powershell code using contextual embeddings,” in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, 2020, pp. 679–693.
  2. R. Canary, “2023 red canary threat detection report,” Jun 2023. [Online]. Available: https://redcanary.com/resources/guides/threat-detection-report/
  3. A. Afreen, M. Aslam, and S. Ahmed, “Analysis of fileless malware and its evasive behavior,” in 2020 International Conference on Cyber Warfare and Security (ICCWS).   IEEE, 2020, pp. 1–8.
  4. S. Varlioglu, N. Elsayed, Z. ElSayed, and M. Ozer, “The dangerous combo: Fileless malware and cryptojacking,” SoutheastCon 2022, pp. 125–132, 2022.
  5. M. N. Olaimat, M. A. Maarof, and B. A. S. Al-rimy, “Ransomware anti-analysis and evasion techniques: A survey and research directions,” in 2021 3rd international cyber resilience conference (CRC).   IEEE, 2021, pp. 1–6.
  6. J. Piet, B. Anderson, and D. McGrew, “An in-depth study of open-source command and control frameworks,” in 2018 13th International Conference on Malicious and Unwanted Software (MALWARE), 2018, pp. 1–8.
  7. T. Nelson and H. Kettani, “Open source powershell-written post exploitation frameworks used by cyber espionage groups,” in 2020 3rd International Conference on Information and Computer Technologies (ICICT), 2020, pp. 451–456.
  8. G. S. Gabor Szappanos and S. Gallagher, “Horde of miner bots and backdoors leveraged log4j to attack vmware horizon servers,” Mar 2022. [Online]. Available: http://tinyurl.com/miner-bots-log4j
  9. A. Bulazel and B. Yener, “A survey on automated dynamic malware analysis evasion and counter-evasion: Pc, mobile, and web,” in Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, 2017, pp. 1–21.
  10. Microsoft, “Fileless threats,” 2021. [Online]. Available: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats
  11. P. Newton, “Analysing fileless malware: Cobalt strike beacon,” Jul 2020. [Online]. Available: https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
  12. W. Handaya, M. Yusoff, and A. Jantan, “Machine learning approach for detection of fileless cryptocurrency mining malware,” in Journal of Physics: Conference Series, vol. 1450, no. 1.   IOP Publishing, 2020, p. 012075.
  13. R. Moussaileb, N. Cuppens, J.-L. Lanet, and H. L. Bouder, “A survey on windows-based ransomware taxonomy and detection mechanisms,” ACM Computing Surveys (CSUR), vol. 54, no. 6, pp. 1–36, 2021.
  14. R. Nataraj, V. Singh, and M. Wood, “Lemon duck powershell malware cryptojacks enterprise networks,” 2019. [Online]. Available: https://tinyurl.com/yc4fmkdz
  15. L. Gundert. [Online]. Available: https://go.recordedfuture.com/hubfs/reports/rep-2016-9006.pdf
  16. E. Nakashima and C. Timberg, “Nsa officials worried about the day its potent hacking tool would get loose. then it did,” Washington Post, vol. 16, 2017.
  17. P. A. Macaraeg, Arvin Roi; Roderno, “Trojan.ps1.pcastle.b,” 2019. [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.ps1.pcastle.b
  18. “Powershell,” 2018. [Online]. Available: https://hunter2.gitbook.io/darthsidious/enumeration/powershell
  19. T. Micro, “Lemon duck cryptocurrency-mining malware information,” 2020. [Online]. Available: https://success.trendmicro.com/solution/000261916
  20. V. V. Koushik, “Lemon duck malware : Infecting outdated windows systems using eternalblue,” Ssecpod, 2020. [Online]. Available: https://www.secpod.com/blog/lemon-duck-malware/
  21. M00nRise, “Post-exploitation tool for hiding processes from monitoring applications,” 2016. [Online]. Available: https://github.com/M00nRise/ProcessHider/blob/master/PowerShell/Invoke-ReflectivePEInjection.ps1
  22. C. G. S. Team, “Threat alert: Lemonduck crypto-mining malware.” [Online]. Available: https://www.cybereason.com/blog/research/threat-alert-lemonduck-crypto-mining-malware
  23. T. Caldwell, “The miners strike–addressing the crypto-currency threat to enterprise networks,” Computer Fraud & Security, vol. 2018, no. 5, pp. 8–14, 2018.
  24. C. M. Pascual, “Ghostminer weaponizes wmi, kills other mining payloads,” 2019. [Online]. Available: https://tinyurl.com/2w49k6v3
  25. J. Agcaoili, “Monero-mining malware pcastle uses fileless techniques,” 2019. [Online]. Available: https://tinyurl.com/4kh3f3x5
  26. S. Gallagher, “Two flavors of tor2mine miner dig deep into networks with powershell, vbscript,” Dec 2021. [Online]. Available: http://tinyurl.com/tor2mine-powershell
  27. MITRE, “Command and control,” The MITRE Corporation MITRE ATT&CK, 2019. [Online]. Available: https://attack.mitre.org/tactics/TA0011/
  28. C. CISA, “Iranian government-sponsored apt actors compromise federal network, deploy crypto miner, credential harvester: Cisa,” Nov 2022. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
  29. T. Trellix, Aug 2022. [Online]. Available: http://tinyurl.com/trellix-miner
  30. D. DFIR-Report, “All that for a coinminer?” Jan 2021. [Online]. Available: https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/
  31. J. LEIN, “Sketchy powershell scripts on pastebin,” Aug 2021. [Online]. Available: https://jon-lein.github.io/Powershell_Malware_Pastebin/
  32. Patebin, “What is pastebin.com all about?” [Online]. Available: https://pastebin.com/faq#1
  33. R. Nataraj, “New lemon duck variants exploiting microsoft exchange server,” May 2021. [Online]. Available: https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/
  34. H. Darley, S. Robinson, and R. Ellis, “Exploring a crypto-mining campaign which used the log4j vulnerability: Darktrace blog,” Apr 2022. [Online]. Available: https://darktrace.com/blog/exploring-a-crypto-mining-campaign-which-used-the-log-4j-vulnerability
  35. I. Patterson. [Online]. Available: https://nssm.cc/download
  36. G. Kristal, “Purple fox ek: New cves, steganography, and virtualization added to attack flow - sentinellabs,” Oct 2020. [Online]. Available: http://tinyurl.com/purple-fox-steganography
  37. J. G. SZÉLES, Oct 2020. [Online]. Available: https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf
  38. J. Triunfante, E. M. Earnshaw, and M. J. Ofiaza, “Purple fox’ malware can rootkit and abuse powershell,” 2019. [Online]. Available: https://tinyurl.com/2w6vzbc6
  39. B. Bojan, “Purple fox - a comparison of old and new techniques in the exploitation phase,” Sep 2022. [Online]. Available: https://diverto.github.io/2020/09/22/purple-fox
  40. PingCastle, “Pingcastle vulnerability scanner,” Oct 2022. [Online]. Available: https://www.pingcastle.com/documentation/scanner/

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now