Network Security, Malware, EDR

Insecure drivers exploited in GhostEngine cryptomining campaign

(Adobe Stock)

Novel cryptomining attacks deploying the GhostEngine payload to deactivate endpoint detection and response systems and distribute the XMRig miner through vulnerable kernel driver exploitation were described in separate reports from Elastic Security Labs and Antiy, according to BleepingComputer.

Intrusions commence with the execution of a Windows file-spoofing "Tiworker.exe" to download a PowerShell script that not only retrieves additional modules, disables Windows Defender, and establishes scheduled tasks but also makes way for the delivery and execution of the primary payload of GhostEngine, reported Elastic Security Labs researchers. GhostEngine would then proceed with EDR software termination and deletion, as well as the distribution of XMRig before ensuring persistence through the "oci.dll" file.

No specifics regarding the attackers and the campaign's victims have been provided by either study but Elastic Security researchers urged organizations to be wary of suspicious process activities and PowerShell execution, as well as prevent insecure drivers from creating files.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.