Recently found malware uses advanced techniques to defeat antivirus safeguards, delete signs of infection, and permanently infect devices with cryptocurrency-mining software, experts said.
"The first goal of the GhostEngine malware is to disable endpoint security solutions and specific Windows event logs, such as Security and System logs, which record process creation and service registration," said Elastic Security Labs researchers, who found the attacks.
The Anatomy of GhostEngine
- Targeting Endpoint Security Solutions: GhostEngine specifically aims at endpoint security solutions, which include antivirus software, intrusion detection systems, and endpoint detection and response (EDR) tools. By disabling these defenses, the attackers gain a foothold within the victim’s system.
- Driver Exploitation: The attack exploits vulnerable drivers from popular security software providers, such as Avast and IOBit. These drivers are essential for communication between the operating system and hardware components. GhostEngine manipulates them to gain access to the kernel, a privileged area of the system.
- Silent Disabling of EDR: Once inside, GhostEngine silently disables the EDR system. This step is crucial because EDR tools monitor system behavior, detect anomalies, and respond to threats. By neutralizing EDR, GhostEngine ensures that its activities remain undetected.
- Cryptocurrency Mining Payload: With the defenses down, GhostEngine deploys its payload: XMRig, a popular Monero (XMR) mining software. Monero is favored by cybercriminals due to its privacy features, making it difficult to trace transactions. The compromised system becomes a silent miner, contributing computational power to the attacker’s mining pool.
About GhostEngine
A function in the primary payload called GhostEngine disables Microsoft Defender or any other antivirus or endpoint security software that may be running on the targeted computer, which is critical to the extraordinarily complicated malware system's operation. It also masks any signs of compromise.
When GhostEngine first starts, it checks machines for any EDR, or endpoint protection and response, software that may be running. If it detects any, it loads drivers known to have vulnerabilities that allow attackers to gain access to the kernel, which is severely restricted to prevent manipulation.
Modus operandi
One of the susceptible drivers is Avast's anti-rootkit file aswArPots.sys. GhostEngine utilizes it to shut down the EDR security agent. A malicious file named smartscreen.exe then deletes the security agent binary using “iobitunlockers.sys” IObit driver.
Once the susceptible drivers are loaded, detection opportunities diminish drastically, and businesses must identify affected endpoints that stop submitting logs to their SIEM, according to the researchers. SIEM stands for security information and event management. Their research is consistent with recent findings from Antiy.
After the EDR has been terminated, smartscreen.exe downloads and installs XMRig, a genuine tool for mining the Monero cryptocurrency, which is frequently abused by threat actors. A configuration file is included, which causes all money generated to be put into an attacker-controlled wallet.
The infection chain begins with the execution of a malicious binary masquerading as the genuine Windows file TiWorker.exe. That file executes a PowerShell script that obtains an obfuscated script called get.png, which downloads additional tools, modules, and configurations from an attacker-controlled server.
File execution to enable the virus
GhostEngine also executes various files that enable the virus to become persistent, which means it loads every time the infected machine restarts.
To accomplish this, the file get.png creates the following scheduled tasks with SYSTEM, the highest system privileges in Windows:
- OneDriveCloudSync uses msdtc to start the malicious service DLL C:\Windows\System32\oci.dll every 20 minutes.
- DefaultBrowserUpdate will launch C:\Users\Public\run.bat, which downloads and executes the get.png script every 60 minutes.
- OneDriveCloudBackup will run C:\Windows\Fonts\smartsscreen.exe every 40 minutes.
Why GhostEngine Matters
- Financial Gain: GhostEngine’s primary motive is financial. By harnessing the victim’s computing resources, the attackers mine Monero, potentially yielding substantial profits. The longer the attack remains undetected, the more cryptocurrency they accumulate.
- Resource Drain: Cryptojacking strains system resources—CPU, memory, and electricity—leading to slower performance and increased energy bills. Users may notice sluggishness but remain unaware of the underlying cause.
- Corporate Impact: In corporate environments, widespread cryptojacking can disrupt business operations. Overloaded systems affect productivity, and IT teams must allocate resources to investigate and remediate the issue.