May 21, 2024 at 06:34PM
The ‘REF4578’ crypto mining campaign deploys GhostEngine, a sophisticated malicious payload, using vulnerable drivers to disable security products and deploy an XMRig miner. Researchers highlight GhostEngine’s unusual sophistication and provide detection rules, but the campaign’s origin and scope remain unknown. To defend against GhostEngine, look out for suspicious PowerShell execution, unusual process activity, and network traffic pointing to crypto-mining pools. Blocking file creation from vulnerable drivers is also recommended.
Based on the meeting notes, the key takeaways are:
1. A crypto mining campaign codenamed ‘REF4578’, using a payload named GhostEngine, has been discovered. This campaign deploys a sophisticated attack that disables security products and uses vulnerable drivers to deploy an XMRig miner.
2. Researchers from Elastic Security Labs and Antiy have highlighted the unusual level of sophistication in these attacks and have shared detection rules to help defenders identify and stop them.
3. The campaign’s origin and scope remain unknown as neither report attributes the activity to known threat actors nor shares details about targets/victims.
4. The attack starts with the execution of a file named ‘Tiworker.exe,’ masquerading as a legitimate Windows file. This is the initial staging payload for GhostEngine, which uses a PowerShell script to download various modules for different behaviors on an infected device.
5. The PowerShell script also disables Windows Defender, enables remote services, clears Windows event logs, and creates scheduled tasks for persistence.
6. The primary payload of GhostEngine is an executable named smartsscreen.exe, which is responsible for terminating and deleting EDR software and launching the XMRig miner for cryptocurrency mining.
7. To defend against GhostEngine, Elastic researchers recommend looking out for suspicious PowerShell execution, unusual process activity, and network traffic pointing to crypto-mining pools. Additionally, deploying vulnerable drivers and creating associated kernel mode services should be treated as red flags in any environment.
8. An aggressive measure to defend against GhostEngine is to block file creation from vulnerable drivers like aswArPots.sys and IobitUnlockers.sys.
Elastic Security has also provided YARA rules to help defenders identify GhostEngine infections.