Elastic Security Labs and Antiy experts have uncovered a new cryptocurrency mining operation, known as Ref4578, where the malicious GhosteenGine exploits vulnerable drivers to disable antivirus programs and deploy the XMRIG miner.
Both Elastic Security Labs and Antiy have highlighted the sophisticated nature of the attack. While they have provided guidance on how to detect and stop the threat, they have not linked the activity to known hacker groups or disclosed details about the victims, leaving the origins and scale of the campaign shrouded in mystery.
Ghostengine Modus Operandi
The method of server infiltration remains unclear, but the attack kicks off with the execution of the TiWorker.exe file, disguised as a legitimate Windows component. This executable serves as the initial stage for launching Ghostengine, a PowerShell script that loads various modules onto the infected machine.
Following the TiWorker.exe launch, the C2 server deploys the Get.png script, which acts as the primary Ghostengine loader. This PowerShell script introduces additional modules, disables Windows Defender, enables remote services, and wipes certain Windows events.
The script checks for a minimum of 10 MB of available disk space to proceed with the infection, creates scheduled tasks to ensure threat persistence, and then downloads and executes the SmartSscreen.exe file – the main malicious Ghostengine component. This program disables and delays EDR solutions, initiates XMRIG for cryptocurrency mining, and downloads two vulnerable drivers (Aswards.Sys and IOBITUNLOCKRESS.Sys) to disable security programs.
Ghostengine Infection Chain
Protective Measures Against Ghostengine
Elastic Security experts advise vigilance for suspicious PowerShell executions, anomalous process activity, unusual network traffic pointing to cryptocurrency pools, and the presence of vulnerable drivers and associated core services.
To preemptively safeguard against Ghostengine, blocking the creation of files like Aswards.Sys and iOBITNLOCRESS.Sys is recommended. Elastic Security Labs has also shared Yara Rules in their report to aid defenders in spotting Ghostengine infections.
While no significant sums have been traced to a single payment