The threat actor's attack begins with the execution of a program called "Tiworker.exe", which poses as a genuine Windows file. It is unknown how servers were originally compromised. This executable is GhostEngine's initial staging payload. GhostEngine is a PowerShell script that downloads modules to an infected device to perform various actions.

GhostEngine's main loader, the attacker's command, and control (C2) server, is where Tiworker.exe downloads the PowerShell script 'get.png' when it is run. This PowerShell script turns off Windows Defender, activates remote services, downloads more modules and their configurations, and cleans up a bunch of Windows event logs.

The next step involves get.png confirming that the system has 10MB of free space, which is required for the infection to spread, and creating three scheduled tasks called 'OneDriveCloudSync,' 'DefaultBrowserUpdate,' and 'OneDriveCloudBackup,' for persistence. The main payload for GhostEngine will now be downloaded and launched by the PowerShell script under the name smartsscreen.exe.

This malware is in charge of downloading and starting the XMRig cryptomining program, as well as stopping and uninstalling the EDR software. GhostEngine installs two vulnerable kernel drivers to stop EDR software; IObitUnlockers.sys (an Iobit driver) to remove the related executable, and aswArPots.sys (an Avast driver) to stop EDR processes.

Windows service 'msdtc' loads a DLL called 'oci.dll' for persistence. Upon launch, this DLL will obtain a new copy of 'get.png' to install GhostEngine's most recent version on the system. The overall financial advantage could be substantial even if the researchers haven't seen any striking numbers from the single payment ID they looked at. Each victim likely has a unique wallet.

Researchers advise defenders to keep an eye out for network data pointing to cryptocurrency-mining pools, suspicious process activity, and unusual PowerShell execution. In any system, the deployment of vulnerable drivers and the creation of associated kernel mode services should also be regarded as warning signs. Blocking file creation from susceptible drivers such as aswArPots.sys and IobitUnlockers.sys is a proactive approach.

Impact

• Security Bypass
• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

SHA1

• 125982676af23e93fa58b31ef1bdb93725cb91c3
• d6dfce664ee28cdcf143da2ec71d2a0ff18c1280
• 1c552f0ade7213e81c3aeb581faab24061f03485
• 41fce204948df6af1fe2f3f6dec02086678eab3b
• 993323c62dab609fd1d8f5876f604d9da861fb35
• 9a77e7e641f1336b4b6fbe0dadb54ea4356212f1
• 8de84714fe4e0fc52c3ff988653b9c69e5753cb2
• 792d5430ef2c60088fbc388714eb4aff63f5f593
• 4b851160b5f87dee9c526e36c0d7e0a28c6de0a9

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.