GHOSTENGINE Uses Vulnerable Drivers to Disable EDRs in Sophisticated Cryptojacking Attack

May 22, 2024

A new cryptojacking campaign called REF4578, which uses a primary payload known as GHOSTENGINE, has been discovered. The campaign employs vulnerable drivers to disable security solutions, specifically Endpoint Detection and Response (EDR) systems, in a type of attack known as Bring Your Own Vulnerable Driver (BYOVD). According to researchers from Elastic Security Labs, GHOSTENGINE uses these drivers to terminate and delete EDR agents that could potentially interfere with a well-known coin miner.

This campaign exhibits an unusual level of complexity to ensure the successful installation and persistence of the XMRig miner. The attack begins with an executable file used to run a PowerShell script, which retrieves an obfuscated script masquerading as a PNG image. This script fetches additional payloads from a command-and-control (C2) server.

The malware also attempts to disable Microsoft Defender Antivirus, clear several Windows event log channels, and ensure there is sufficient space on the C: volume to download files. If there is not enough space, it will try to delete large files from the system before looking for another volume with sufficient space.

The PowerShell script also creates three scheduled tasks on the system to run a malicious DLL every 20 minutes, launch itself by means of a batch script every hour, and execute a file called smartsscreen.exe every 40 minutes. The main purpose of smartsscreen.exe, also known as GHOSTENGINE, is to deactivate security processes using a vulnerable Avast driver, complete the initial infection, and execute the miner.

The Uptycs Threat Research Team has discovered a large-scale, ongoing operation since January 2024 that exploits known flaws in the Log4j logging utility (e.g., CVE-2021-44228) to deliver an XMRig miner onto targeted hosts. Most of the affected servers are located in China, followed by Hong Kong, Netherlands, Japan, the U.S., Germany, South Africa, and Sweden.

BYOVD is a technique where a threat actor brings a known-vulnerable signed driver, loads it into the kernel, and exploits it to perform privileged actions. These actions often aim to disarm security processes and allow the threat actor to operate stealthily.

Microsoft has deployed the Vulnerable Driver Blocklist by default starting in Windows 11 22H2, but the list is only updated once or twice a year. This means users must manually update it periodically for optimal protection. The exact scope of the campaign and the identity of the threat actors behind it remain unknown. However, the unusual sophistication of what appears to be a straightforward illicit cryptocurrency mining attack has drawn attention.

This discovery follows the finding of a technique called EDRaser that exploits flaws in Microsoft Defender (CVE-2023-24860 and CVE-2023-36010) to remotely delete access logs, Windows event logs, databases, and other files. This issue also affects Kaspersky, as both security programs use byte signatures to detect malware, allowing a threat actor to implant malware signatures into legitimate files and trick the tools into thinking they are malicious.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.