A recent revelation in the cybersecurity realm uncovers a concerning development dubbed GHOSTENGINE, a cryptojacking campaign employing a sophisticated method to bypass security measures. In this blog, we’ll look at the GHOSTENGINE exploit in detail, shedding light on its modus operandi and implications for digital security.
Cybersecurity researchers have unearthed a novel cryptojacking campaign known as GHOSTENGINE, characterized by its utilization of vulnerable drivers to subvert established security protocols. Elastic Security Labs, in their pursuit of tracking this campaign, has identified it as REF4578, with the primary weapon being GHOSTENGINE.
The campaign’s complexity is noteworthy, indicating a deliberate effort to ensure the seamless deployment and persistence of malicious activities. The GHOSTENGINE exploit includes an EDR bypass to disable and remove interfering security agents.
At the heart of GHOSTENGINE lies a multi-layered approach to infiltration. The process initiates with the execution of an executable file named “Tiworker.exe,” which then triggers a PowerShell script. This script, disguised as a benign PNG image (“get.png”), communicates with a command-and-control (C2) server to retrieve additional payloads. These payloads, including various modules and executables, are downloaded onto the infected host via HTTP or FTP-based channels.
GHOSTENGINE leverages vulnerable drivers, such as “aswArPot.sys” and “IObitUnlockers.sys,” to disable established PowerShell security measures like Microsoft Defender Antivirus. These drivers facilitate the seamless execution of malicious processes, ensuring the deployment and persistence of the XMRig miner, a tool utilized for cryptocurrency mining.
System performance degradation can result from various factors, including software conflicts and hardware malfunctions. To maintain a foothold within the compromised system, GHOSTENGINE employs several tactics.
Scheduled tasks are created to run malicious DLLs at regular intervals, ensuring continuous operation of the malware. Additionally, the malware clears event logs and ensures sufficient disk space for downloading and storing additional files, thus evading detection and removal.
The emergence of GHOSTENGINE underscores the evolving landscape of cyber threats, where attackers leverage sophisticated techniques to evade detection and maximize their impact. Mitigating such threats requires a proactive approach, including regular driver updates to security protocols and the adoption of robust endpoint detection and response solutions. Suspicious process monitoring is a critical aspect of modern cybersecurity strategies, allowing organizations to detect and respond to potential threats in real-time.
GHOSTENGINE epitomizes the growing trend of Bring Your Own Vulnerable Driver (BYOVD) attacks, favored by both state-sponsored actors and financially motivated cybercriminals. This technique, which involves loading vulnerable drivers into the kernel to perform privileged actions, poses a significant challenge to traditional security measures.
Organizations are increasingly relying on EDR solutions to bolster their cybersecurity defenses against evolving threats. While initiatives like Microsoft’s Vulnerable Driver Blocklist offer some defense against BYOVD attacks, proactive measures are essential. Regular updates to security protocols and heightened awareness among users can mitigate the risk posed by such vulnerabilities.
Resource theft poses a significant threat to businesses, impacting productivity and profitability. The emergence of GHOSTENGINE highlights the ever-present threat posed by cyber adversaries. As organizations navigate an increasingly complex digital landscape, vigilance and adaptability, especially vulnerability patching are paramount. By understanding the tactics employed by malicious actors and implementing robust security measures, businesses can safeguard their digital assets and ensure continuity in the face of evolving threats.
The sources for this piece include articles in The Hacker News and Bleeping Computer.
The post GHOSTENGINE Exploit: Vulnerable Drivers Facing Attack appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/ghostengine-exploit-vulnerable-drivers-facing-attack/