GhostEngine mining attacks kill EDR security using vulnerable drivers
21-May-24
The article uncovers a sophisticated crypto mining campaign called ‘REF4578’ using a malicious payload called GhostEngine. This campaign exploits vulnerable drivers to disable security products and deploy an XMRig miner. While the origin and scope of the campaign remain unknown, researchers from Elastic Security Labs and Antiy provide detection rules to help stop it. GhostEngine starts with a file named ‘Tiworker.exe,’ masquerading as a legitimate Windows file, which initiates the attack. It downloads various modules, disables Windows Defender, and enables remote services. The malware terminates EDR software using vulnerable kernel drivers and persists through scheduled tasks and DLL injection. Defenders are advised to watch for suspicious PowerShell activity, unusual process behavior, and network traffic to crypto-mining pools, and to block file creation from vulnerable drivers. Elastic Security offers YARA rules for identifying GhostEngine infections.
