GhostEngine Malware
A crypto mining attack campaign codenamed REF4578 has been discovered deploying a threatening payload named GhostEngine. The malware is capable of exploiting vulnerable drivers to turn off security products and deploy an XMRig miner. Researchers have underlined the unusual sophistication of these crypto-mining attacks in by releasing reports with their findings. However, so far, the experts have not attributed the activity to any known threat actors nor have they revealed any details about targets/victims, so the campaign's origin and scope remain unknown.
Table of Contents
The GhostEngine Malware Begins Its Attack by Posing as a Legitimate File
The initial method of server breach remains unclear, but the attack begins with the execution of a file named 'Tiworker.exe,' which poses as a legitimate Windows file. This executable serves as the initial staging payload for GhostEngine, a PowerShell script designed to download various modules for different harmful activities on the infected device.
Upon execution, Tiworker.exe downloads a PowerShell script named 'get.png' from the attacker's Command-and-Control (C2) server, acting as the primary loader for GhostEngine. This script retrieves additional modules and their configurations, disables Windows Defender, enables remote services and clears various Windows event logs.
Subsequently, get.png checks for at least 10MB of free space on the system, a requirement for advancing the infection, and creates scheduled tasks named 'OneDriveCloudSync,' 'DefaultBrowserUpdate,' and 'OneDriveCloudBackup' to ensure persistence.
The GhostEngine Malware can Shut Down Security Software on Victims' Devices
The PowerShell script proceeds to download and execute an executable named smartsscreen.exe, which serves as GhostEngine's primary payload. This malware is tasked with terminating and deleting Endpoint Detection and Response (EDR) software and downloading and launching XMRig to mine cryptocurrency. To disable EDR software, GhostEngine utilizes two vulnerable kernel drivers: aswArPots.sys (an Avast driver) to terminate EDR processes and IObitUnlockers.sys (an IObit driver) to delete the corresponding executables.
For persistence, a DLL named 'oci.dll' is loaded by a Windows service called 'msdtc.' Upon activation, this DLL downloads a fresh copy of 'get.png' to install the latest version of GhostEngine on the machine.
Given the possibility that each victim might be assigned a unique wallet, the financial gains from the GhostEngine malware attacks could be substantial.
Recommended Security Measures against the GhostEngine Miner Malware
Researchers recommend that defenders remain vigilant for indicators such as suspicious PowerShell executions, unusual process activities, and network traffic directed toward cryptocurrency mining pools. Furthermore, the deployment of vulnerable drivers and the creation of associated kernel mode services should be treated as significant warning signs in any system. As a proactive measure, blocking the creation of files from vulnerable drivers, such as aswArPots.sys and IobitUnlockers.sys, can help mitigate these threats.
