This sneaky malware can disable your security without you even realizing it, then download a slew of crypto miners
Hackers have found a way to install crypto miners on your devices even if you have an antivirus program installed.
The campaign was recently discovered by cybersecurity researchers at Elastic Security Labs and Antiy, who named it REF4578 but were unable to attribute it to a specific or known threat actor.
The campaign is carried out by placing a vulnerable driver on the endpoint, which allows them to disable and ultimately remove any antivirus programs you may have installed on your device. Once that’s done, the malware drops XMRig, one of the most popular cryptocurrency miners out there. Furthermore, victims do not appear to be specifically targeted, and it is difficult to determine exactly how many computers are infected.
Mining cryptos
The researchers don’t know exactly how the attackers spread the malware, but an educated guess would be through phishing, social media and instant messaging, or through ad poisoning and impersonation.
Whatever the method, victims first receive an executable file called Tiworker, which pretends to be a legitimate Windows file. This file places a powerShell script called GhostEngine which in turn performs a number of different activities.
One of these is loading two vulnerable kernel drivers: aswArPots.sys (Avast driver), used to terminate Endpoint Detection and Response (EDR) processes, and IObitUnlockers.sys (Iobit driver) which removes the associated executable.
GhostEngine can also disable Windows Defender, enable remote services, and clear various Windows event logs.
When the process is complete and the coast is clear, GhostEngine will eventually deploy XMRig, a well-known cryptocurrency miner. Popular among cybercriminals, this tool secretly mines the cryptocurrency Monero (XMR), known for its privacy and pseudonymity.
To protect the endpoints, the researchers suggest that IT teams should keep an eye out for suspicious PowerShell executions, unusual process activity, and network traffic pointing to cryptocurrency mining pools.
Through BleepingComputer