Malware recently spotted in the wild uses sophisticated measures to disable antivirus protections, destroy evidence of infection, and permanently infect machines with cryptocurrency-mining software, researchers said Tuesday.
Key to making the unusually complex system of malware operate is a function in the main payload, named GhostEngine, that disables Microsoft Defender or any other antivirus or endpoint-protection software that may be running on the targeted computer. It also hides any evidence of compromise. “The first objective of the GhostEngine malware is to incapacitate endpoint security solutions and disable specific Windows event logs, such as Security and System logs, which record process creation and service registration,” said researchers from Elastic Security Labs, who discovered the attacks.
When it first executes, GhostEngine scans machines for any EDR, or endpoint protection and response, software that may be running. If it finds any, it loads drivers known to contain vulnerabilities that allow attackers to gain access to the kernel, the core of all operating systems that’s heavily restricted to prevent tampering. One of the vulnerable drivers is an anti-rootkit file from Avast named aswArPots.sys. GhostEngine uses it to terminate the EDR security agent. A malicious file named smartscreen.exe then uses a driver from IObit named iobitunlockers.sys to delete the security agent binary.
“Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must find compromised endpoints that stop transmitting logs to their SIEM,” the researchers wrote, using the abbreviation for security information and event management. Their research overlaps with recent findings from Antiy.
Once the EDR has been terminated, smartscreen.exe goes on to download and install XMRig, a legitimate application for mining the monero cryptocurrency that’s often abused by threat actors. A configuration file included causes all coins created to be deposited into an attacker-controlled wallet.
The infection chain starts with the execution of a malicious binary that masquerades as the legitimate Windows file TiWorker.exe. That file runs a PowerShell script that retrieves an obfuscated script, titled get.png, which downloads additional tools, modules, and configurations from an attacker-controlled server. Elastic Security Labs provided the following graphic that illustrates the entire execution flow:
