Malware News GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,396
Content source
https://thehackernews.com/2024/05/ghostengine-exploits-vulnerable-drivers.html
Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions (EDRs) and thwart detection in what's called a Bring Your Own Vulnerable Driver (BYOVD) attack.

Elastic Security Labs is tracking the campaign under the name REF4578 and the primary payload as GHOSTENGINE. Previous research from Chinese cybersecurity firm Antiy Labs has codenamed the activity as HIDDEN SHOVEL.

"GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner," Elastic researchers Salim Bitam, Samir Bousseaden, Terrance DeJesus, and Andrew Pease said. "This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRig miner."
Click to expand...
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, Andy Ful, vtqhtr413 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,215
Analysis revealed that this binary executes a hardcoded PowerShell command line to retrieve an obfuscated script, get.png, which is used to download further tools, modules, and configurations from the attacker C2– as depicted in the screenshot below.
Click to expand...

It means that the attack can be stopped by blocking outbound connections of PowerShell.
The hardcoded PowerShell command line uses also a type blocked by Constrained Language mode. (y)
 
  • +Reputation
  • Like
Reactions: Gandalf_The_Grey, simmerskool and Allego

Similar threads

silversurfer
    • Like
    • Wow
    • +Reputation
Security News 300,000 Systems Vulnerable to New Loop DoS Attack
Replies
0
Views
968
Security News
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Security News 22 Energy Firms Hacked in Largest Coordinated Attack on Denmark’s Critical Infrastructure
Replies
6
Views
1,991
Security News
oldschool
oldschool
MuzzMelbourne
    • Like
    • +Reputation
Terminator antivirus killer is a vulnerable Windows driver in disguise
Replies
0
Views
1,442
News Archive
MuzzMelbourne
MuzzMelbourne

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top