Security experts have uncovered a malicious crypto mining campaign dubbed 'REF4578,' deploying a harmful payload called GhostEngine to disable security products and deploy an XMRig miner using vulnerable drivers. Researchers from Elastic Security Labs and Antiy have highlighted the campaign's uncommon sophistication in separate reports, offering detection rules for defenders. However, the reports do not attribute the activity to known threat actors or share details about targets or victims, leaving the campaign's origin and scope unknown. The attack begins with the execution of 'Tiworker.exe,' masquerading as a legitimate Windows file. This serves as the initial payload for GhostEngine, a PowerShell script downloading various modules to perform diverse actions on infected devices. 'Tiworker.exe' downloads a PowerShell script named 'get.png' from the attacker's C2 server, acting as GhostEngine's primary loader. The script disables Windows Defender, enables remote services, and clears event logs, then verifies available disk space and establishes scheduled tasks for persistence. Next, the script downloads and launches 'smartsscreen.exe,' GhostEngine's primary payload, responsible for terminating EDR software and initiating XMRig for cryptocurrency mining. GhostEngine loads two vulnerable kernel drivers, 'aswArPots.sys' and 'IObitUnlockers.sys,' to terminate EDR processes and delete associated executables, respectively. Additionally, a DLL named 'oci.dll' ensures persistence by downloading a fresh GhostEngine copy. While initial financial gains seem modest, the potential overall profit could be significant if each victim has a unique wallet. Elastic researchers advise defenders to monitor suspicious PowerShell execution, unusual process activity, and network traffic indicating crypto-mining pools. Blocking file creation from vulnerable drivers and associated kernel mode services is recommended, with Elastic Security providing YARA rules for detection.
CDK Global, a leading software-as-a-service(SaaS) provider for car dealerships, suffered a major cyberattack on June 19, prompting the company to shut down its systems for the seco...
Chinese cyber espionage groups have been linked to a persistent campaign infiltrating several telecom operators in a specific Asian country since at least 2021. The Symantec Threat...
Change Healthcare, a subsidiary of UnitedHealth Group, is notifying hospitals, insurers, and other customers about a massive cyberattack that may have exposed patient information. ...