PCASTLE is not the most sophisticated malware when it comes to the way it was created - its sole function is to execute a series of PowerShell commands that perform the actions that will be discussed in this post. Ever since cryptocurrencies gained traction, cybercriminals have been finding more and more ways to misappropriate them or generate them on the backs of unsuspecting users.
In its essence, the PCASTLE malware is a Trojan cryptocurrency miner. It is not known with certitude how the PCASTLE malware is being propagated exactly, but cybersecurity experts have identified whom the target is – computers located in China. Out of all identified victims of the PCASTLE threat, 92% are machines with Chinese IP addresses. Once the PCASTLE Trojan lands on a host, it executes the XMRig mining tool to start mining the cryptocurrency of choice – Monero. As it goes with cryptocurrency miners usually, all the collected coins are forwarded to the attacker’s cryptocurrency wallet.
PCASTLE makes use of various vulnerabilities and hacking techniques to try and infect other computers that are part of the same network as 'patient zero.' Of course, one of the most popular exploits to do this at the moment is the infamous EternalBlue, but the attackers have two backup plans too - the notorious pass-the-hash trick, as well as a simple brute-force attack that may allow them to crack simple login credentials.
Even though the PCASTLE malware does not pilfer from its victims directly, this Trojan cryptocurrency miner may reduce the lifespan of some components of your computer greatly and may shoot your power bills through the roof. We would recommend you to obtain a reputable anti-malware application, which would ensure that your PC does not fall victim to the PCASTLE miner.