This new dual-payload cryptojacking malware can disable Windows Antimalware Scan Interface and inject itself directly into memory of legitimate processes. Credit: Romanovskyy / Getty Images Along with ransomware, cryptocurrency mining malware is one of the most common threats to enterprise systems. Just like with ransomware, the sophistication of cryptominers has grown over the years, incorporating attack vectors and techniques such as fileless execution, run-time compilation and reflective code injection that were once associated with advanced persistent threats (APTs).Researchers from security firm Deep Instinct have recently come across a cryptominer infection on the systems of a large Asia-based company in the aviation industry. The attack, which deployed a new Monero cryptocurrency miner, used PowerShell, reflective PE injection, run-time code compilation and Tor for anonymity.The malware arrived as an encoded PowerShell script that, when executed, set up a scheduled task to run at system setup and launch a second encoded PowerShell command. This secondary payload used a module called Invoke-ReflectivePEInjection from the PowerSploit and PowerShell Empire, two PowerShell-based exploitation frameworks, to extract code stored in the registry and inject it into its own running process. “While run-time compilation is not new, it is becoming more and more prevalent with the rising popularity of file-less attacks, and can bear certain advantages for an attacker such as the avoidance of some of PowerShell’s protection mechanisms,” the Deep Instinct researchers said in a new report. Storing malicious code inside the registry instead of a file on disk, and then injecting it directly into the memory of legitimate processes is a technique that was first used in APT attacks to evade antivirus detection. Such fileless execution tactics are now common for a variety of malware threats, including ransomware.In this case, the code stored inside the system registry consisted of two .DLL files — one for 32-bit systems and one for 64-bit ones — that implemented a Monero mining program. Once loaded, the cryptominer initiates communications with a series of Tor nodes, which likely serve as anonymizing proxies in order to hide the real location of their mining pools. “During the past two years, cryptomining malware has been on a constant rise, featuring ever increasing levels of sophistication, utilizing advanced fileless techniques to attack targets in enterprise environments,” the Deep Instinct researchers said. “While analysis and research of this malware are still ongoing, in light of the above-mentioned findings, we are reasonably convinced that this a new, sophisticated cryptominer variant, fairly distinguishable from other previously documented malware of this type.”Defending against PowerShell attacksPowerShell is a powerful and useful system administration tool, but it has become a widely used attack vector in recent years, so it’s imperative for enterprises to limit its use on systems where it’s not needed or at the very least add logging and detection capabilities to it.Microsoft recommends using PowerShell version 5, which has the most advanced logging features of all PowerShell versions. Unfortunately, even after installing version 5, PowerShell version 2 will still remain on the system and allow for downgrade attacks, so system administrators should make sure to remove this older version from their systems.PowerShell can also be configured in what is called Constrained Language mode if the system’s users don’t need its full power. For administering remote servers, a limited shell mode known as Just Enough Administration (JEA) can be used.Other effective mitigations involve configuring PowerShell to only allow the execution of digitally signed scripts and the use of the Windows 10’s AppLocker feature in order to validate scripts before they’re allowed to run.Finally, if PowerShell is not needed on a system, it can be removed entirely. This will offer the best protection but is rarely practical because the tool is often needed to automate system administration tasks. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe