GhostEngine mining attacks kill EDR security using vulnerable drivers

Ghostly hacker

A malicious crypto mining campaign codenamed ‘REF4578,’ has been discovered deploying a malicious payload named GhostEngine that uses vulnerable drivers to turn off security products and deploy an XMRig miner.

Researchers at Elastic Security Labs and Antiy have underlined the unusual sophistication of these crypto-mining attacks in separate reports and shared detection rules to help defenders identify and stop them.

However, neither report attributes the activity to known threat actors nor shares details about targets/victims, so the campaign’s origin and scope remain unknown.


While it is unclear how servers are initially breached, the threat actor’s attack starts with the execution of a file named ‘Tiworker.exe,’ which masquerades as a legitimate Windows file.

This executable is the initial staging payload for GhostEngine, a PowerShell script that downloads various modules to conduct different behaviors on an infected device.

When Tiworker.exe is executed, it will download a PowerShell script named ‘get.png’ from the attacker’s command and control (C2) server, which acts as GhostEngine’s primary loader.

This PowerShell script downloads additional modules and their configurations, disables Windows Defender, enables remote services, and clears various Windows event logs.

Next, get.png verifies that the system has at least 10MB of free space, which is necessary for furthering the infection, and creates scheduled tasks named ‘OneDriveCloudSync,’ ‘DefaultBrowserUpdate,’ and ‘OneDriveCloudBackup,’ for persistence.

Scheduled tasks added for persistence
Scheduled tasks added for persistence
Source: Elastic Security

The PowerShell script will now download and launch an executable named smartsscreen.exe, which acts as GhostEngine’s primary payload.

This malware is responsible for terminating and deleting EDR software and downloading and launching the XMRig to mine for cryptocurrency.

To terminate EDR software, GhostEngine loads two vulnerable kernel drivers: aswArPots.sys (Avast driver), which is used to terminate EDR processes, and IObitUnlockers.sys (Iobit driver) to delete the associated executable.

A list of the processes targeted by the EDR terminator is shown below:

Hardcoded EDR list
Hardcoded EDR list used by both kill.png and smartscreen.exe
Source: Elastic Security

For persistence, a DLL named ‘oci.dll’ is loaded by a Windows service named ‘msdtc’. When started, this DLL will download a fresh copy of ‘get.png’ to install the latest version of GhostEngine on the machine.

Though Elastic hasn’t seen impressive figures from the single payment ID they examined, it’s possible that each victim comes with a unique wallet, so the overall financial gain could be significant.

Complete GhostEngine attack chain
Complete GhostEngine attack chain
Source: Elastic Security

Defending against GhostEngine

Elastic researchers suggest defenders look out for suspicious PowerShell execution, unusual process activity, and network traffic pointing to crypto-mining pools.

Additionally, deploying vulnerable drivers and creating associated kernel mode services should be treated as red flags in any environment.

An aggressive measure is to block file creation from vulnerable drivers like aswArPots.sys and IobitUnlockers.sys.

Elastic Security has also provided YARA rules in the report to help defenders identify GhostEngine infections.

Related Articles

Back to top button