<— Back

PowerShell for crypto miners

Need passwords? We have it. Need spreading over SMB? We can do it. Need owning AD controller? We can own it. From serious state actors, over red team members, to crypto currency mining networks – everybody uses PowerShell.

Built on top of the .NET framework, present on literally every Windows system, PowerShell was designed to help system administrator’s tasks simpler with the intention of using it as a command shell processor similar to Unix shells such as bash or zsh. In a fashion similar to its Unix counterparts, the user can create (Power)Shell scripts which automate a sequence of administrative tasks. When PowerShell was launched, noone could even imagine the breadth of functionality which will be implemented with it – from basic system utilities to complex security tools for attackers and defenders.

PowerShell quickly became popular with security researchers who created a number of offensive frameworks, such as PowerShell Empire to help them with the essentials red team tasks such as conducting penetration tests. Over time, PowerShell became only second to Python when it comes to developing and delivering the latest and greatest exploits with exploits such as EternalBlue, SMBGhost or RDP BlueKeep all having their own PowerShell implementations.

The breadth of open source code available attracted malicious actors, with ransomware vendors and particularly cryptomining malware families extensively using it to spread, download and maintain command and control with the actor’s infrastructure. This presentation shows just why PowerShell is popular with malicious actors and how it is particularly used by crypto currency botnets such as Lemon Duck, Prometei and Tor2mine. We will document the latest modules and tools used as ingredients into building predominantly PowerShell based malware campaigns. The presentation is a result of a research into the cryptocurrency miners active in Asia conducted during 2020.

Vanja Svajcer

Cisco Talos

Vanja Svajcer works as a Technical Leader for Cisco Talos. He is a security researcher with more than 20 years of experience in malware research and detection development. Prior to joining Talos, Vanja worked as a Principal researcher for SophosLabs and led a Security Research Team at Hewlett Packard Enterprise.

Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as Virus Bulletin, AVAR, RSA, CARO, BSides, BalCCon and many others.

Sponsors and Supporting Organizations

Diamond Sponsors

Platinum Sponsor

Networking Lounge Sponsor

Supporting Organization

Associate Sponsors