Medium
A new Monero cryptominer has been discovered by Deep Instinct during an incident targeting an Asia-based aviation organization. This miner is persistent, file-less, and leverages the Tor infrastructure. The infection chain begins with a PowerShell command that creates a scheduled task set to run another encoded PowerShell command at system startup. This 2nd encoded PowerShell command, when decoded, reveals the use of a reflective-PE loader that retrieves malicious content stored in the registry and injects it into its own process as run-time compiled C# code.
MD5
URL
http[:]//165[.]22[.]50[.]215/functionupdate[.]exe