Drivers Exploited To Deploy GHOSTENGINE Payload

After initial access, the GHOSTENGINE payload is deployed to initiate crypto-mining operations

by Alan J May 22, 2024

Share on LinkedInShare on Twitter

Cybersecurity researchers uncovered a sophisticated cryptojacking campaign that leverages vulnerable drivers to disable well-known security solutions, thereby evading detection.

This technique that allows attackers to perform privileged actions through the exploit of known flaws in signed drivers is referred to as a Bring Your Own Vulnerable Driver (BYOVD) attack.

Campaign Deploys GHOSTENGINE Payload

Researchers from Elastic Security Labs identified the new cryptojacking campaign referred to it as REF4578. The campaign uses the GHOSTENGINE core payload to deactivate security tools, complete the initial infection, and execute a crypto-miner. Researchers from Antiy Labs also observed the campaign, referring to it as HIDDEN SHOVEL.

The campaign was found to primarily target servers in China, with significant impacts also reported in Hong Kong, the Netherlands, Japan, the U.S., Germany, South Africa, and Sweden. The exact scope and the identities of the threat actors behind the campaign remain unknown.

The attack begins with the execution of an executable file named “Tiworker.exe,” which masquerades as a legitimate Windows file. This executable runs a PowerShell script that retrieves an obfuscated script called “get.png” from the attacker’s command-and-control (C2) server.

The “get.png” script then attempts several actions such as disabling Microsoft Defender Antivirus, clearing Windows System/Security event logs and creating scheduled tasks for continued persistence. The script also checks for a minimum of 10MB storage space before downloading additional malicious modules, including:

  • aswArPot.sys: A vulnerable Avast driver used to terminate EDR processes.
  • IObitUnlockers.sys: A vulnerable IObit driver used to delete security agent binaries.
  • smartsscreen.exe: The core payload (GHOSTENGINE) responsible for deactivating security processes and executing the XMRig miner.
  • oci.dll: A DLL used for persistence and updating the malware.
  • backup.png: A PowerShell script functioning as a backdoor for remote command execution.
  • kill.png: A PowerShell script designed to inject and load an executable file to delete security agents.

The PowerShell script creates multiple scheduled tasks to ensure persistence:

  • “OneDriveCloudSync” runs a malicious service DLL every 20 minutes.
  • “DefaultBrowserUpdate” runs a batch script every hour.
  • “OneDriveCloudBackup” executes “smartsscreen.exe” every 40 minutes.

Subsequently, the XMRig miner is downloaded and executed to mine cryptocurrency. XMRig is a legitimate high-performance open-source application able to mine the monero cryptocurrency and is commonly used by threat actors. A configuration file directs all generated cryptocurrency to an attacker-controlled wallet.

The campaign incorporates several fallback mechanisms to ensure continued operation. If the primary C2 domains are unavailable, it uses backup servers and an FTP-based fallback system. The PowerShell script “kill.png” provides redundancy by having similar capabilities as “smartsscreen.exe” to delete security agent binaries.

The malware also uses a DLL file (“oci.dll”) loaded by a Windows service to maintain additional persistence and download further updates from the C2 server.

Attackers Employ BYOVD Technique To Escalate Privileges and Evade Detection

The drivers exploited in the campaign run at ring 0, the highest level of privilege offered in the operating system, allowing for direct access to critical system resources. The threat actors exploit the Avast driver “aswArPot.sys” to terminate security processes and the IObit driver “IObitUnlockers.sys” to delete security agent binaries.

As the attack evades Endpoint Detection and Response (EDR) systems, to defend against this sophisticated campaign, security teams should monitor for unusual PowerShell execution, suspicious process activities and network traffic pointing to the identified crypto-mining pools.

The researchers have provided YARA rules to help identify GHOSTENGINE infections. Additionally, organizations should consider blocking the creation of files by vulnerable drivers such as “aswArPot.sys” and “IObitUnlockers.sys.”

The advanced level of sophistication demonstrated in the REF4578/HIDDEN SHOVEL cryptojacking campaign makes it a cause of concern and demands urgent remediate action.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button