GHOSTENGINE Uses Vulnerable Drivers to Disable EDRs in Sophisticated Cryptojacking Attack

May 22, 2024

A new cryptojacking campaign called REF4578, which uses a primary payload known as GHOSTENGINE, has been discovered. The campaign employs vulnerable drivers to disable security solutions, specifically Endpoint Detection and Response (EDR) systems, in a type of attack known as Bring Your Own Vulnerable Driver (BYOVD). According to researchers from Elastic Security Labs, GHOSTENGINE uses these drivers to terminate and delete EDR agents that could potentially interfere with a well-known coin miner.

This campaign exhibits an unusual level of complexity to ensure the successful installation and persistence of the XMRig miner. The attack begins with an executable file used to run a PowerShell script, which retrieves an obfuscated script masquerading as a PNG image. This script fetches additional payloads from a command-and-control (C2) server.

The malware also attempts to disable Microsoft Defender Antivirus, clear several Windows event log channels, and ensure there is sufficient space on the C: volume to download files. If there is not enough space, it will try to delete large files from the system before looking for another volume with sufficient space.

The PowerShell script also creates three scheduled tasks on the system to run a malicious DLL every 20 minutes, launch itself by means of a batch script every hour, and execute a file called smartsscreen.exe every 40 minutes. The main purpose of smartsscreen.exe, also known as GHOSTENGINE, is to deactivate security processes using a vulnerable Avast driver, complete the initial infection, and execute the miner.

The Uptycs Threat Research Team has discovered a large-scale, ongoing operation since January 2024 that exploits known flaws in the Log4j logging utility (e.g., CVE-2021-44228) to deliver an XMRig miner onto targeted hosts. Most of the affected servers are located in China, followed by Hong Kong, Netherlands, Japan, the U.S., Germany, South Africa, and Sweden.

BYOVD is a technique where a threat actor brings a known-vulnerable signed driver, loads it into the kernel, and exploits it to perform privileged actions. These actions often aim to disarm security processes and allow the threat actor to operate stealthily.

Microsoft has deployed the Vulnerable Driver Blocklist by default starting in Windows 11 22H2, but the list is only updated once or twice a year. This means users must manually update it periodically for optimal protection. The exact scope of the campaign and the identity of the threat actors behind it remain unknown. However, the unusual sophistication of what appears to be a straightforward illicit cryptocurrency mining attack has drawn attention.

This discovery follows the finding of a technique called EDRaser that exploits flaws in Microsoft Defender (CVE-2023-24860 and CVE-2023-36010) to remotely delete access logs, Windows event logs, databases, and other files. This issue also affects Kaspersky, as both security programs use byte signatures to detect malware, allowing a threat actor to implant malware signatures into legitimate files and trick the tools into thinking they are malicious.

Related News

• Crypto Mining Malware Campaign Targets Misconfigured Servers
• Lazarus Group Exploits Log4j Security Flaws to Launch Global Cyberattack Campaign
• CISA Issues Cybersecurity Guidelines for Healthcare and Public Health Entities

Latest News

• Microsoft Exchange Server Vulnerabilities Leveraged in Keylogger Attacks
• Critical Security Flaw in Veeam Backup Enterprise Manager: Urgent Patch Required
• Critical Security Vulnerability in GitHub Enterprise Server Allows Authentication Bypass
• Critical Vulnerability in Fluent Bit Affects Major Cloud Providers
• Public RCE Exploit Revealed for Unpatched QNAP QTS Zero-Day