GHOSTENGINE Malware Exploits Vulnerable drivers To Terminate EDR Agents

by Esmeralda McKenzie
GHOSTENGINE Malware Exploits Vulnerable drivers To Terminate EDR Agents

GHOSTENGINE Malware Exploits Vulnerable drivers To Terminate EDR Agents

GHOSTENGINE Malware Terminates EDR Brokers That Intrude In Their Route of

Researchers found REF4578, an intrusion plot that makes use of inclined drivers to disable established safety alternate solutions (EDRs) for crypto mining and deploys a malicious payload identified as GHOSTENGINE.

GHOSTENGINE is responsible of discovering and working the machine’s modules. To download files from a configured arena, it largely makes use of HTTP, with a backup IP in case the arena is unavailable. It also makes use of FTP as a backup protocol that involves embedded credentials.

EHA

This marketing campaign required an though-provoking level of complexity to ensure the XMRIG miner would possibly maybe well be installed and power.

REF4578 Execution Hunch

Elastic Security Labs reports that the REF4578 intrusion began on Might maybe maybe also 6, 2024, with the execution of a PE file known as Tiworker.exe that became posing as the correct Dwelling windows TiWorker.exe file.

The telemetry recorded the following alarms, which suggested that a identified inclined driver had been gentle.

Capture
REF4578 Execution Hunch

This file downloads and runs a PowerShell script that manages the intrusion’s entire execution stride with the circulation when it’s executed.

In accordance with diagnosis, this program executes a hardcoded PowerShell stutter line to invent an obfuscated script known as rep.png. This script is then gentle to download more instruments, modules, and configurations from the attacker C2.

The powershell script makes an are trying to disable Dwelling windows Defender, enable distant companies and products and though-provoking the Dwelling windows tournament log channels.

Capture%20(1)
rep.png disabling Dwelling windows Defender and enabling distant companies and products

Subsequent, to assign persistence, rep.png creates the OneDriveCloudSync,DefaultBrowserUpdate, and OneDriveCloudBackup scheduled responsibilities as SYSTEM.

GHOSTENGINE installs a form of modules that would possibly maybe test for instrument updates, rep with safety instruments, and comprise a backdoor.

The main feature of the smartscreen.exe module is to entire any working EDR agent processes earlier than downloading and surroundings up a cryptocurrency miner.

“The final unbiased of the REF4578 intrusion plot became to produce rep admission to to an ambiance and deploy a power Monero crypto miner, XMRig”, researchers said.

Recommendation

Which implies that, it’s imperative that the following early acts be prevented and detected first:

  • Suspicious PowerShell execution
  • Execution from though-provoking directories
  • Elevating privileges to system integrity
  • Deploying inclined drivers and setting up associated kernel mode companies and products.

Source credit : cybersecuritynews.com

Related Posts