Fileless malware predominantly relies on PowerShell scripts, leveraging the native capabilities of Windows systems to execute stealthy attacks that leave no traces on the victim's system. The effectiveness of the fileless method lies in its ability to remain operational on victim endpoints through memory execution, even if the attacks are detected, and the original malicious scripts are removed. Threat actors have increasingly utilized this technique, particularly since 2017, to conduct cryptojacking attacks. With the emergence of new Remote Code Execution (RCE) vulnerabilities in ubiquitous libraries, widespread cryptocurrency mining attacks have become prevalent, often employing fileless techniques. This paper provides a comprehensive analysis of PowerShell scripts of fileless cryptojacking, dissecting the common malicious patterns based on the MITRE ATT&CK framework.

翻译：无文件恶意软件主要依赖PowerShell脚本，利用Windows系统的原生能力执行隐蔽攻击，从而在受害系统上不留痕迹。无文件方法的有效性在于其能够通过内存执行在受害端点上保持运作，即使攻击被检测到且原始恶意脚本被移除。自2017年以来，威胁行为者越来越多地利用此技术实施加密货币劫持攻击。随着通用库中新的远程代码执行漏洞的出现，采用无文件技术的广泛加密货币挖矿攻击变得普遍。本文对无文件加密货币劫持的PowerShell脚本进行了全面分析，基于MITRE ATT&CK框架剖析了常见恶意模式。