May 22, 2024 at 10:20AM
A new malware named GhostEngine has been identified, targeting vulnerable drivers to disable endpoint detection and response solutions. It is used in a complex cryptomining campaign by an intrusion set labeled “REF4578.” The malware’s intricate features include disabling EDR, establishing persistence, installing a backdoor, and executing a cryptominer. Detection methods are also outlined.
The meeting notes discuss the discovery of a novel malware known as GhostEngine, which is used in an elaborate cryptomining campaign. Researchers at Elastic Security Labs and Antiy Labs have identified this malware and outlined its capabilities and attack vector. The malware is designed to disable endpoint detection and response (EDR) solutions and install a previously undocumented backdoor, ultimately aiming to mine cryptocurrency without detection.
The GhostEngine attack vector involves the execution of a PE file that impersonates a legitimate Windows file, leading to the download and execution of attacker tools, GhostEngine modules, and configurations. The malware is capable of purging the system of prior infections, disabling Windows Defender, establishing persistence, and evading security tools. It also terminates EDR processes and installs a cryptominer, while enabling remote command execution on the infected system.
In terms of detection, organizations are advised to prioritize the identification of suspicious PowerShell execution, unusual directories, privilege elevation, vulnerable drivers, and associated kernel mode services. Additionally, monitoring network traffic for DNS record lookups to mining pool domains and identifying specific network protocols can aid in detection.
Detection rules and prevention events associated with the campaign include monitoring for various suspicious activities such as PowerShell downloads, service control spawned via Script Interpreter, scheduled task creation, process execution from unusual directories, and tampering with Windows Defender.
Overall, the meeting notes provide valuable insights into the capabilities and detection strategies related to the GhostEngine malware and its cryptomining campaign.