Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family CoinMiner
This is a concrete detection of a cryptocurrency miner that leverages advanced Windows system tools like `mshta`, `PowerShell`, and scheduled tasks for execution, persistence, and evasion. It aims to exploit system resources for illicit cryptocurrency mining, potentially impacting system performance and stability.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - mshta (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - WH_SHELL (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - shch (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
31186dc2e3fce4d202aa0cab8f4049c0021d2007088ad3dbbe8a53768277b21aIsolate the affected system, perform a full system scan with updated antivirus definitions to remove all detected components. Investigate for any established persistence mechanisms, associated malicious files, or lateral movement. Implement application whitelisting and ensure all systems are regularly patched.