paint-brush
Powershell Cryptostealer Attacks: An Invisible Threatby@jiniuspark
396 reads
396 reads

Powershell Cryptostealer Attacks: An Invisible Threat

by Jin ParkMay 11th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

DNS traffic analysis can identify suspicious patterns of suspicious behavior. Malware could have evolved, presenting a new variant that is yet to be fully understood. By analyzing the DNS traffic, we can highlight these suspicious pathways and cut off the malware's line of communication. This early detection allowed them to raise the alarm and start the early detection process.
featured image - Powershell Cryptostealer Attacks: An Invisible Threat
Jin Park HackerNoon profile picture

An Invisible Threat

Most antivirus software is designed to detect known threats. But, what about the new, unknown threats that keep evolving in the cyber world? The answer lies in identifying patterns of suspicious behavior.


Upon further investigation, the malicious clusters associated with the trojan virus Doina were found to be linked to a botnet. Botnets are networks of private computers that have been infected with malicious software.


These networks are controlled by cybercriminals as a group without the knowledge of the individual computer owners.


In the virtual world, not all paths lead to legitimate places. Some, created by DGAs, lead to the control servers of cybercriminals. By analyzing the DNS traffic, we can highlight these suspicious pathways and cut off the malware's line of communication.


In June 2022, Through DNS traffic analysis a system flagged a cluster of public suffixes - the last part of a domain name that follows the final dot, like '.com' or '.org'. This cluster was associated with a high number of IP address sources, indicating potential victims of an attack.


For further references:


Unmasking the Invisible Threat

A deep dive into these public suffixes revealed a pattern. They were not listed on domain blacklists, meaning they were not recognized as threats.


Further investigation led to an Australian discussion forum where users were reporting suspicious activities on their computers. This revealed the true nature of the threat - a PowerShell script implementing a Domain Generation Algorithm.


The script was designed to steal cryptocurrency wallets from infected machines. It also attempted to whitelist itself from antivirus software, effectively making it invisible to most security systems.

The Power of Network Analysis

As the threat of cyber-attacks continues to grow, researchers and experts are working tirelessly to devise strategies and techniques to mitigate these risks. One recent development involves the discovery of a new trojan virus known as Doina, which has been identified as a significant threat to computer systems and networks.

Tracking the DNS traffic, researchers at Pluribus One, an Italian cybersecurity research institute, were able to identify malicious clusters associated with the malware. This early detection allowed them to raise the alarm and initiate the process of mitigating the threat. However, further work on the virus revealed a new keyword, service, which suggests that the malware may have evolved into a new variant that is not yet fully understood.

This discovery underlines the importance of maintaining constant vigilance and adaptability in the face of evolving cyber threats. Cybersecurity experts must constantly evolve their strategies and techniques to stay one step ahead of the threats posed by viruses such as Doina.

Keeping up to date with the latest developments in the cybersecurity landscape is critical for staying informed on potential threats and identifying measures to mitigate them. By remaining alert and proactive, we can continue to protect computer systems and minimize the risks that cyber-attacks pose to our information and infrastructure.



Let's break this down into simpler terms:


Kaspersky illustration of a Botnet - Ref. https://www.kaspersky.com/resource-center/threats/botnet-attacks


In recent times, cybersecurity experts have come across a new botnet that poses a threat to computer systems and networks that utilizes a PowerShell script to execute its activities.


The botnet uses a technique known as Domain Generation Algorithm (DGA) to generate domain addresses that are randomly generated and point to no particular destination.


However, some of these randomly-generated domains are controlled by the botnet, which allows the threat actors to execute their malicious activities.


Because the generated domain names are randomly generated and are not known beforehand, it becomes challenging to block the botnet from malicious activities.


To counter this cybersecurity threat, experts in the field are working on advanced techniques such as DNS traffic analysis, adversarial machine learning, and other sophisticated methods that can detect and respond to the threat posed by the botnet.