Beware the Ghost in the Machine: Cyber Crooks Unleash GHOSTENGINE in Stealthy Cryptojacking Siege

Beware the GHOSTENGINE: Cyber sleuths unearth a spooky cryptojacking specter, exploiting BYOVD tactics to ghost EDRs and mine with ghoulish glee.

Hot Take:

Who knew cryptojacking could come with such a side of sophisticated malice? The new REF4578 campaign, starring GHOSTENGINE, is like Ocean’s Eleven meets IT department – criminally clever and technically tenacious. They’re bringing their own vulnerable drivers to the malware party, and security solutions are on the uninvited list. It’s the kind of plot twist that makes you wish you’d paid more attention in those computer science classes – or at least updated your antivirus software. 🕵️‍♂️💻

Key Points:

  • REF4578, aka BYOVD attack, employs vulnerable drivers to disable pesky EDRs, ensuring the XMRig miner’s uninterrupted operation.
  • The campaign is so committed to mining that it ensures there’s at least 10 MB of free space – talk about dedication!
  • Malware masquerading as PNG images? The Trojan horse has gone digital, and it’s sneakier than ever.
  • GHOSTENGINE is the main act, using the Avast driver’s vulnerability as its stage to shut down security processes.
  • The attackers have backup plans for their backup plans – redundancy is clearly their middle name.
Title: Microsoft Defender Denial of Service Vulnerability
Cve id: CVE-2023-36010
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/15/2023
Cve description: Microsoft Defender Denial of Service Vulnerability

Title: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
Cve id: CVE-2021-44228
Cve state: PUBLISHED
Cve assigner short name: apache
Cve date updated: 04/03/2023
Cve description: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Title: Microsoft Defender Denial of Service Vulnerability
Cve id: CVE-2023-24860
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/14/2023
Cve description: Microsoft Defender Denial of Service Vulnerability

Need to know more?

Malware in Disguise: A PNG's Worth a Thousand Scripts

Picture this: an executable file kicks off a whole domino effect, leading to scripts hiding as PNG images, which then call in reinforcements from a C2 server. It's like a Scooby-Doo villain's mask trick, but instead of a haunted amusement park, we're talking about your computer's innards. And instead of Scooby Snacks, we’re dealing with cryptocurrency mining. Ruh-roh!

The Art of Digital Hoarding

These malware maestros are quite the digital hoarders, stashing their ill-gotten files in the Windows Fonts folder like grandma hiding cash in the cookie jar. And if your C drive is feeling bloated, this campaign will put it on a crash diet, deleting files until there's enough room to party. It's like Marie Kondo for your hard drive, but with more malicious intent and less folding.

Task Scheduler Shenanigans

Ever wish you were more organized? Well, this malware has got you beat with scheduled tasks up the wazoo. It’s like having a really twisted personal assistant who schedules your computer for regular infections. "Don't forget, you've got a malicious DLL appointment every 20 minutes!" Gee, thanks?

Driver's Ed: Malware Edition

Who knew drivers could be so much more than a boring computer thingy? GHOSTENGINE is here to teach us all that drivers can be the life of the malware party – especially when they're as vulnerable as an open bar. And just when you think you've seen it all, another driver from IObit swoops in to delete the evidence like a mob cleaner. It's a regular Bonnie and Clyde of drivers on the loose.

The Miner's Miner: Persistence Pays

Like the little engine that could, the XMRig client mining program chugs along, downloaded and executed thanks to the persistence of a DLL file that's all about that update life. And let's not forget about the backup.png script, a backdoor so convenient it might as well come with a welcome mat for hackers.

GHOSTENGINE's Backup Dancers

They say you should always have a plan B, and GHOSTENGINE has taken this advice to heart. The kill.png script is ready to jump in like an understudy if the star can't perform, ensuring the show goes on. It's the kind of redundancy that would make even the most obsessive project manager swoon.

Log4j's Unwanted Encore

Oh, and just as we were getting over the Log4j drama, here it is again, like a bad sequel nobody asked for. This time it's dropping XMRig miners onto servers with the subtlety of a sledgehammer. Servers in China, Hong Kong, and even as far as Sweden are getting a taste of this unwanted performance.

A Bypass a Day Keeps the Admin Away

And for the grand finale, we've got a smorgasbord of creative cybersecurity undermining. EDRaser, a novel technique, is like the H

Tags: BYOVD attack, cryptojacking, GHOSTENGINE, PowerShell Scripts, security process evasion, vulnerable drivers, XMRig miner