Oasis Ticket Sales Scams: How to Stay Safe
During our weekly meetings with the banking industry and Police Scotland, we continue to see a significant increase in ticket scams over the last three…
GhostEngine Malware: The Silent EDR Assassin
Cyber security experts have recently identified a sophisticated cryptojacking campaign that employs a new type of malware named “GhostEngine.” This malware leverages vulnerable drivers to disable endpoint detection and response (EDR) systems, allowing attackers to remain undetected while they mine cryptocurrency.
What is GhostEngine?
GhostEngine is a malware designed to exploit vulnerabilities in legitimate software drivers, a technique known as Bring Your Own Vulnerable Driver (BYOVD). This method allows attackers to disable security measures by loading compromised drivers into the system, which operate with high privileges and can terminate security processes.
How Does GhostEngine Work?
- Initial Infection: The attack begins with an executable file (“Tiworker.exe”), which masquerades as a legitimate Windows process. This file runs a PowerShell script that downloads additional malicious payloads.
- Payload Deployment: The malware fetches modules from a command-and-control (C2) server, including drivers, executables, and scripts designed to disable security software and maintain persistence on the infected machine.
- EDR Disabling: GhostEngine uses known-vulnerable drivers like Avast’s aswArPot.sys and IObit’s iobitunlockers.sys to deactivate and delete security agents. This ensures that the malware can operate without being detected by the EDR systems.
- Cryptojacking: Once the security defences are neutralised, GhostEngine installs and runs the XMRig cryptominer, which mines cryptocurrency (Monero) using the victim’s resources.
Key Features and Techniques
- Vulnerable Drivers: By loading compromised drivers, GhostEngine gains kernel-level access to critical system resources, allowing it to disable EDR systems effectively.
- Persistence Mechanisms: The malware establishes persistence by creating scheduled tasks and utilising various scripts that ensure it remains active and can re-download necessary components if removed.
- Multiple Redundancies: GhostEngine includes multiple fail-safes and fallback mechanisms, such as backup servers and alternative communication methods, to maintain its operation even if some parts are disrupted.
Detection and Prevention
Detecting GhostEngine can be challenging due to its ability to disable logging and security processes. However, certain behaviours and signs can indicate its presence:
- Suspicious PowerShell Activity: Unexpected or unusual PowerShell executions can be a sign of malicious scripts at work.
- Execution from Unusual Directories: Malware often runs from non-standard locations on the filesystem.
- Privilege Escalation: The malware may attempt to gain higher privileges to disable security features and install drivers.
- Network Traffic: Monitoring network traffic for connections to known mining pool domains and unusual DNS queries can help identify compromised systems.
Conclusion
The GhostEngine malware represents a significant threat due to its sophisticated techniques and ability to disable advanced security solutions. Organisations must remain vigilant and implement proactive measures, such as updating vulnerable driver blocklists and monitoring for signs of malicious activity. By understanding and anticipating these threats, businesses can better protect their networks and data from such stealthy attacks.
For more in-depth technical details and ongoing updates about GhostEngine, refer to the following sites:
Related articles
Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes
Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft…
Public Alert: Windows 11 End of Support – Action Required
Microsoft has issued an important reminder that multiple editions of Windows 11 will reach the end of their support lifecycle on 8 October 2024. This…