ClickCease GHOSTENGINE Exploit: Vulnerable Drivers Facing Attack

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

GHOSTENGINE Exploit: Vulnerable Drivers Facing Attack

Wajahat Raja

June 6, 2024 - TuxCare expert team

A recent revelation in the cybersecurity realm uncovers a concerning development dubbed GHOSTENGINE, a cryptojacking campaign employing a sophisticated method to bypass security measures. In this blog, we’ll look at the GHOSTENGINE exploit in detail, shedding light on its modus operandi and implications for digital security.


Understanding The GHOSTENGINE Exploit

Cybersecurity researchers have unearthed a novel
cryptojacking campaign known as GHOSTENGINE, characterized by its utilization of vulnerable drivers to subvert established security protocols. Elastic Security Labs, in their pursuit of tracking this campaign, has identified it as REF4578, with the primary weapon being GHOSTENGINE. 

The campaign’s complexity is noteworthy, indicating a deliberate effort to ensure the seamless deployment and persistence of malicious activities. The GHOSTENGINE exploit includes an EDR bypass to disable and remove interfering security agents.


The Anatomy of the Attack

At the heart of GHOSTENGINE lies a multi-layered approach to infiltration. The process initiates with the execution of an executable file named “Tiworker.exe,” which then triggers a
PowerShell script. This script, disguised as a benign PNG image (“get.png”), communicates with a command-and-control (C2) server to retrieve additional payloads. These payloads, including various modules and executables, are downloaded onto the infected host via HTTP or FTP-based channels.

Exploiting Vulnerabilities

vulnerable drivers, such as “aswArPot.sys” and “IObitUnlockers.sys,” to disable established PowerShell security measures like Microsoft Defender Antivirus. These drivers facilitate the seamless execution of malicious processes, ensuring the deployment and persistence of the XMRig miner, a tool utilized for cryptocurrency mining.


Persistence and Concealment

System performance degradation
can result from various factors, including software conflicts and hardware malfunctions. To maintain a foothold within the compromised system, GHOSTENGINE employs several tactics. 

Scheduled tasks are created to run malicious DLLs at regular intervals, ensuring continuous operation of the malware. Additionally, the malware clears event logs and ensures sufficient disk space for downloading and storing additional files, thus evading detection and removal. 

Implications and Mitigation Strategies

emergence of GHOSTENGINE underscores the evolving landscape of cyber threats, where attackers leverage sophisticated techniques to evade detection and maximize their impact. Mitigating such threats requires a proactive approach, including regular driver updates to security protocols and the adoption of robust endpoint detection and response solutions. Suspicious process monitoring is a critical aspect of modern cybersecurity strategies, allowing organizations to detect and respond to potential threats in real-time.

The Rise of BYOVD

GHOSTENGINE epitomizes the growing trend of
Bring Your Own Vulnerable Driver (BYOVD) attacks, favored by both state-sponsored actors and financially motivated cybercriminals. This technique, which involves loading vulnerable drivers into the kernel to perform privileged actions, poses a significant challenge to traditional security measures.

Addressing Security Gaps

Organizations are increasingly relying on
EDR solutions to bolster their cybersecurity defenses against evolving threats. While initiatives like Microsoft’s Vulnerable Driver Blocklist offer some defense against BYOVD attacks, proactive measures are essential. Regular updates to security protocols and heightened awareness among users can mitigate the risk posed by such vulnerabilities. 


Resource theft
poses a significant threat to businesses, impacting productivity and profitability. The emergence of GHOSTENGINE highlights the ever-present threat posed by cyber adversaries. As organizations navigate an increasingly complex digital landscape, vigilance and adaptability, especially vulnerability patching are paramount. By understanding the tactics employed by malicious actors and implementing robust security measures, businesses can safeguard their digital assets and ensure continuity in the face of evolving threats.

The sources for this piece include articles in The Hacker News and Bleeping Computer.

GHOSTENGINE Exploit: Vulnerable Drivers Facing Attack
Article Name
GHOSTENGINE Exploit: Vulnerable Drivers Facing Attack
Learn about the GHOSTENGINE exploit targeting vulnerable drivers, enabling cryptojacking. Stay informed and protect your systems now.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter