GhostEngine Malware: The Silent EDR Assassin - Cyber and Fraud Centre

Cyber security experts have recently identified a sophisticated cryptojacking campaign that employs a new type of malware named “GhostEngine.” This malware leverages vulnerable drivers to disable endpoint detection and response (EDR) systems, allowing attackers to remain undetected while they mine cryptocurrency.

What is GhostEngine?

GhostEngine is a malware designed to exploit vulnerabilities in legitimate software drivers, a technique known as Bring Your Own Vulnerable Driver (BYOVD). This method allows attackers to disable security measures by loading compromised drivers into the system, which operate with high privileges and can terminate security processes.

How Does GhostEngine Work?

Initial Infection: The attack begins with an executable file (“Tiworker.exe”), which masquerades as a legitimate Windows process. This file runs a PowerShell script that downloads additional malicious payloads.
Payload Deployment: The malware fetches modules from a command-and-control (C2) server, including drivers, executables, and scripts designed to disable security software and maintain persistence on the infected machine.
EDR Disabling: GhostEngine uses known-vulnerable drivers like Avast’s aswArPot.sys and IObit’s iobitunlockers.sys to deactivate and delete security agents. This ensures that the malware can operate without being detected by the EDR systems.
Cryptojacking: Once the security defences are neutralised, GhostEngine installs and runs the XMRig cryptominer, which mines cryptocurrency (Monero) using the victim’s resources.

Key Features and Techniques

Vulnerable Drivers: By loading compromised drivers, GhostEngine gains kernel-level access to critical system resources, allowing it to disable EDR systems effectively.
Persistence Mechanisms: The malware establishes persistence by creating scheduled tasks and utilising various scripts that ensure it remains active and can re-download necessary components if removed.
Multiple Redundancies: GhostEngine includes multiple fail-safes and fallback mechanisms, such as backup servers and alternative communication methods, to maintain its operation even if some parts are disrupted.

Detection and Prevention

Detecting GhostEngine can be challenging due to its ability to disable logging and security processes. However, certain behaviours and signs can indicate its presence:

Suspicious PowerShell Activity: Unexpected or unusual PowerShell executions can be a sign of malicious scripts at work.
Execution from Unusual Directories: Malware often runs from non-standard locations on the filesystem.
Privilege Escalation: The malware may attempt to gain higher privileges to disable security features and install drivers.
Network Traffic: Monitoring network traffic for connections to known mining pool domains and unusual DNS queries can help identify compromised systems.

Conclusion

The GhostEngine malware represents a significant threat due to its sophisticated techniques and ability to disable advanced security solutions. Organisations must remain vigilant and implement proactive measures, such as updating vulnerable driver blocklists and monitoring for signs of malicious activity. By understanding and anticipating these threats, businesses can better protect their networks and data from such stealthy attacks.

For more in-depth technical details and ongoing updates about GhostEngine, refer to the following sites:

23.05.24

Threat Intelligence Alerts