GHOSTENGINE Exploit: Vulnerable Drivers Facing Attack
A recent revelation in the cybersecurity realm uncovers a concerning development dubbed GHOSTENGINE, a cryptojacking campaign employing a sophisticated method to bypass security measures. In this blog, we’ll look at the GHOSTENGINE exploit in detail, shedding light on its modus operandi and implications for digital security.
Understanding The GHOSTENGINE Exploit
Cybersecurity researchers have unearthed a novel cryptojacking campaign known as GHOSTENGINE, characterized by its utilization of vulnerable drivers to subvert established security protocols. Elastic Security Labs, in their pursuit of tracking this campaign, has identified it as REF4578, with the primary weapon being GHOSTENGINE.
The campaign’s complexity is noteworthy, indicating a deliberate effort to ensure the seamless deployment and persistence of malicious activities. The GHOSTENGINE exploit includes an EDR bypass to disable and remove interfering security agents.
The Anatomy of the Attack
At the heart of GHOSTENGINE lies a multi-layered approach to infiltration. The process initiates with the execution of an executable file named “Tiworker.exe,” which then triggers a PowerShell script. This script, disguised as a benign PNG image (“get.png”), communicates with a command-and-control (C2) server to retrieve additional payloads. These payloads, including various modules and executables, are downloaded onto the infected host via HTTP or FTP-based channels.
Exploiting Vulnerabilities
GHOSTENGINE leverages vulnerable drivers, such as “aswArPot.sys” and “IObitUnlockers.sys,” to disable established PowerShell security measures like Microsoft Defender Antivirus. These drivers facilitate the seamless execution of malicious processes, ensuring the deployment and persistence of the XMRig miner, a tool utilized for cryptocurrency mining.
Persistence and Concealment
System performance degradation can result from various factors, including software conflicts and hardware malfunctions. To maintain a foothold within the compromised system, GHOSTENGINE employs several tactics.
Scheduled tasks are created to run malicious DLLs at regular intervals, ensuring continuous operation of the malware. Additionally, the malware clears event logs and ensures sufficient disk space for downloading and storing additional files, thus evading detection and removal.
Implications and Mitigation Strategies
The emergence of GHOSTENGINE underscores the evolving landscape of cyber threats, where attackers leverage sophisticated techniques to evade detection and maximize their impact. Mitigating such threats requires a proactive approach, including regular driver updates to security protocols and the adoption of robust endpoint detection and response solutions. Suspicious process monitoring is a critical aspect of modern cybersecurity strategies, allowing organizations to detect and respond to potential threats in real-time.
The Rise of BYOVD
GHOSTENGINE epitomizes the growing trend of Bring Your Own Vulnerable Driver (BYOVD) attacks, favored by both state-sponsored actors and financially motivated cybercriminals. This technique, which involves loading vulnerable drivers into the kernel to perform privileged actions, poses a significant challenge to traditional security measures.
Addressing Security Gaps
Organizations are increasingly relying on EDR solutions to bolster their cybersecurity defenses against evolving threats. While initiatives like Microsoft’s Vulnerable Driver Blocklist offer some defense against BYOVD attacks, proactive measures are essential. Regular updates to security protocols and heightened awareness among users can mitigate the risk posed by such vulnerabilities.
Conclusion
Resource theft poses a significant threat to businesses, impacting productivity and profitability. The emergence of GHOSTENGINE highlights the ever-present threat posed by cyber adversaries. As organizations navigate an increasingly complex digital landscape, vigilance and adaptability, especially vulnerability patching are paramount. By understanding the tactics employed by malicious actors and implementing robust security measures, businesses can safeguard their digital assets and ensure continuity in the face of evolving threats.
The sources for this piece include articles in The Hacker News and Bleeping Computer.