PCASTLE
PCASTLE is a Trojan that uses exploits and brute-force techniques for distributing itself to other computers. Its payloads involve a cryptocurrency-mining application that can use your system's resources for creating Monero coins. Users can implement appropriate network and browser-based defenses for lowering their risk to infections and let anti-malware products handle removing PCASTLE or the mining program.
The Eternal Color of Illicit Coinage
The NSA's leaked EternalBlue exploit, an abuse of the Server Message Block protocol that uses mishandled packets for executing corrupted code, is at the heart of the propagation of another Trojan's campaign. PCASTLE's purpose for using this coding oversight for infecting new PCs is monetary, just like the attacks of BlackSquid, the Nansh0u Mine or Beapy. It even uses the same means of making money: thXMRig Monero-mining program.
PCASTLE's favoritism towards XMRig, which is a prominent application for generating Monero cryptocurrency, may be due to the latter's light footprint, which, under a standard configuration, will show few symptoms that would alarm users and make them notice the infection. Besides farming out the mining aspect to a third-party program, PCASTLE includes a substantial layering of its installation and persistence routines, which avoids dropping files on the drive and uses default Windows features like task scheduling. Both PCASTLE and the multiple Trojan droppers that it involves in these infection steps consist of heavy use of PowerShell scripts, much like the ANTAK Remote Access Trojan.
While malware researchers find few cues that would make PCASTLE comparably invasive to a RAT, PCASTLE's options for self-distribution are comprehensive. Besides leveraging EternalBlue, it can use pass the hash style exploits for bypassing login credentials and, like many threats these days will try brute-forcing any weak logins that are using 'guessable' values like 'admin123.'
Drawbacks to Letting Criminals Erect Castles on Your Computer
A cryptocurrency-mining Trojan is capable of burning out hardware, causing performance issues, and using up bandwidth, among other problems. Furthermore, PCASTLE's harvesting of system data and contact with a Command & Control server raises the possibility of further attacks arising, although malware experts have yet to confirm any changes in the Trojan's specialty. Its current propagation techniques are more likely of compromising unprotected business, NGO or government servers, but random PC owners are, also, at potential risk.
Campaigns involving PCASTLE, usually, are Asia-focused, with strings of attacks verifiable throughout China and Japan. PCASTLE's use of memory injection, while conventional, is a simple means of having a Trojan avoid visibility, and users should rely on automated anti-malware services for detecting the Trojan. The anti-malware products of most brands should delete PCASTLE and the threatening variant of XMRig appropriately.
Security fixes for most versions of Windows will block the EternalBlue exploit that PCASTLE uses so effectually. Lamentably, there isn't a patch for users insisting on having unsecured passwords, which are all but as good as rolling out the red carpet for the campaigns of Monero-mining Trojans.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.