May 22, 2024 at 05:47AM
Cybersecurity researchers have identified a new cryptojacking campaign, known as REF4578 or HIDDEN SHOVEL, using a Bring Your Own Vulnerable Driver (BYOVD) attack to disable security solutions. The campaign employs an intricate method involving PowerShell scripts, scheduled tasks, and various modules to deploy the XMRig miner and evade detection. Additionally, the BYOVD technique allows attackers to exploit vulnerabilities in signed drivers to execute privileged actions and disable security processes, posing significant challenges for defense mechanisms.
The disclosure of this sophisticated attack follows the emergence of other disruptive methods, such as EDRaser, aiming to exploit flaws in security programs like Microsoft Defender and Kaspersky. Furthermore, the development of a bypass to undermine the security offered by Palo Alto Networks Cortex XDR and the introduction of HookChain represent additional threats that bypass standard security controls and evade detection by common endpoint detection and response software.
These sophisticated attack methods underscore the continuous need for vigilance and innovation in cybersecurity, as threat actors find new and creative ways to compromise systems and evade traditional security measures.
If you found this article interesting, follow us on Twitter and LinkedIn for more exclusive content.
Based on the meeting notes, the key takeaways are as follows:
1. A new cryptojacking campaign, REF4578 (codenamed HIDDEN SHOVEL), has been discovered by cybersecurity researchers. The campaign uses a technique called BYOVD (Bring Your Own Vulnerable Driver) to disable known security solutions (EDRs) and deploy a coin miner named GHOSTENGINE.
2. The campaign involves complex methods, including the use of vulnerable drivers to disable security processes, downloading additional payloads from a command-and-control (C2) server, disabling antivirus software, clearing Windows event log channels, and ensuring sufficient space for file downloads.
3. The primary payload, smartsscreen.exe (GHOSTENGINE), is designed to deactivate security processes using vulnerable drivers and execute the XMRig client mining program.
4. Another ongoing operation exploits known flaws in the Log4j logging utility to deliver an XMRig miner onto targeted hosts and has impacted servers in various locations, with a majority in China.
5. BYOVD is an increasingly popular technique used by threat actors to load vulnerable signed drivers into the kernel and perform privileged actions, aiming to disarm security processes and operate stealthily.
6. Various novel techniques, such as EDRaser and HookChain, have been discovered to undermine security mechanisms, including exploiting flaws in Microsoft Defender and bypassing security protections offered by Palo Alto Networks Cortex XDR.
These takeaways illustrate the evolving landscape of cybersecurity threats, highlighting the sophistication and diversity of techniques used by threat actors to compromise systems and evade detection.