Researchers recently discovered sophisticated malware, named GhostEngine, that disables antivirus protections, destroys evidence of infection, and installs cryptocurrency-mining software. GhostEngine’s main function is to disable Microsoft Defender and other endpoint protection software on targeted computers. It also hides evidence of compromise by incapacitating endpoint security solutions and disabling specific Windows event logs.
Upon execution, GhostEngine scans for any endpoint protection and response (EDR) software. If found, it exploits vulnerabilities in drivers to gain kernel access. One such driver is Avast’s anti-rootkit file aswArPots.sys, used to terminate the EDR security agent. A malicious file named smartscreen.exe then uses another vulnerable driver, iobitunlockers.sys, to delete the security agent binary.
Once EDR is disabled, smartscreen.exe downloads and installs XMRig, a legitimate monero-mining application, configured to deposit mined coins into an attacker-controlled wallet. The infection chain begins with a malicious binary masquerading as the legitimate Windows file TiWorker.exe. This file runs a PowerShell script that retrieves and executes additional tools from an attacker-controlled server. GhostEngine also creates scheduled tasks to maintain persistence, ensuring it loads each time the infected machine restarts.
A separate component, a PowerShell script titled backup.png, acts as a backdoor, allowing remote command execution on the infected machine. The script continuously sends and receives encoded commands and results.
The researchers identified the configuration file used by the malware to set up XMRig, revealing a payment ID for tracking mined coins. The ID showed the attackers had netted only around $60, but other infected machines could have generated more.
Given GhostEngine’s ability to disable various EDR protections, administrators must use alternative methods to detect infections. Researchers released YARA rules to identify GhostEngine infections and provided a list of file hashes, IP addresses, and domain names indicating targeting or infection.
