GhostEngine Malware Drives Cryptomining Campaign REF4578

Experts at Elastic Security Labs and Antiy have uncovered a new cryptocurrency mining campaign codenamed REF4578, wherein the GhostEngine malware exploits vulnerable drivers to disable antivirus programs and deploy the XMRig miner.

Elastic Security Labs and Antiy highlighted the high complexity of the attack. In their reports, the companies shared detection rules to assist defenders in identifying and mitigating such attacks. However, neither report links the activity to known hacker groups or provides details about the victims, leaving the origin and scope of the campaign unknown.

Operation of GhostEngine

REF4578 execution flow

It remains unclear how the attackers initially compromise the servers. However, the attack begins with the execution of a file named Tiworker.exe, which masquerades as a legitimate Windows file. This executable is the first stage in deploying GhostEngine, a PowerShell script designed to download various modules onto the infected device.

Once launched, Tiworker.exe downloads a script named get.png from a C2 server, which serves as the primary loader for GhostEngine. The PowerShell script downloads additional modules and their configurations, disables Windows Defender, enables remote services, and clears various Windows event logs.

The script checks for at least 10 MB of free disk space to proceed with the infection and creates scheduled tasks to ensure the persistence of the threat. The script then downloads and executes an executable file named smartsscreen.exe—the core malware of GhostEngine. This program disables and removes EDR solutions and downloads and launches XMRig for cryptocurrency mining.

To disable security programs, GhostEngine loads two vulnerable drivers: aswArPots.sys (an Avast driver) to terminate EDR processes and IObitUnlockers.sys (an Iobit driver) to delete associated executable files.

Measures to Protect Against GhostEngine

Experts at Elastic recommend that defenders monitor for suspicious PowerShell executions, unusual process activity, and network traffic indicative of cryptocurrency mining pools. The use of vulnerable drivers and the creation of related kernel services should also raise red flags.

A preventive measure is to block the creation of files by vulnerable drivers such as aswArPots.sys and IobitUnlockers.sys. Elastic Security also provided YARA rules in their report to help defenders detect GhostEngine infections.

Although researchers did not find significant amounts associated with the single payment ID they studied, there is a possibility that each affected user has a unique wallet, and the overall financial damage could be substantial.