GhostEngine Mining Attacks Exploit Vulnerable Drivers to Overcome EDR Security
A malicious crypto-mining campaign known as “REF4578” has been identified; it uses GhostEngine as its payload. This payload disables security measures and installs an XMRig miner by exploiting vulnerable drivers.
Researchers from Elastic Security Labs and Antiy have shown in different studies how distinctively sophisticated these attacks on cryptocurrency mining are. They have also made detection criteria available to assist defenses in identifying and neutralizing these threats.
The campaign’s origins and extent are unknown, though, as neither report identifies the activity’s targets or victims or links it to recognized threat actors.
GhostEngine
Although the initial breach method for servers remains unclear, the attack by the threat actor begins with executing a file named ‘Tiworker.exe,’ which pretends to be a legitimate Windows file.
This executable is the first staging payload for the PowerShell script GhostEngine, which downloads modules to an infected device in order to carry out numerous tasks.
The PowerShell script ‘get.png’ is downloaded by Tiworker.exe from the attacker’s command and control (C2) server, which serves as GhostEngine’s main loader.
Next, this PowerShell script turns off Windows Defender, activates remote services, downloads more modules and their configurations, and cleans up a slew of Windows event logs.
Subsequently, get.png generates scheduled activities called ‘OneDriveCloudSync,’ ‘DefaultBrowserUpdate,’ and ‘OneDriveCloudBackup’ for persistence and verifies that the system has at least 10MB of free space—a prerequisite for propagating the infection.
The PowerShell script then downloads and launches an executable named smartsscreen.exe, which serves as GhostEngine’s primary payload. This malware is responsible for terminating and deleting EDR software and for downloading and launching XMRig to mine cryptocurrency.
To terminate EDR software, GhostEngine loads two vulnerable kernel drivers: aswArPots.sys (an Avast driver) to terminate EDR processes and IObitUnlockers.sys (an Iobit driver) to delete the associated executable. Windows service’msdtc’ loads a DLL called ‘oci.dll’ in order to preserve persistence. The DLL downloads a new copy of ‘get.png’ to install the most recent GhostEngine version on the computer when this service launches. Elastic hasn’t seen any appreciable profits from the one payment ID they looked into, but since every victim can have a different wallet, the total profit might be sizable.
Defending Against GhostEngine
Researchers at Elastic advise defenders to keep an eye out for network traffic going to crypto-mining pools, strange process activity, and odd PowerShell executions. Furthermore, in any setting, the establishment of related kernel-mode services and the distribution of susceptible drivers should be regarded as warning signs.
Blocking file creation from susceptible drivers like aswArPots.sys and IobitUnlockers.sys is a preventative step. Elastic Security has also included YARA guidelines in its report to assist defenders in identifying GhostEngine infections.