A malicious crypto mining campaign codenamed REF4578 deploys GhostEngine, which uses vulnerable drivers to disable security products and install an XMRig miner. Origin and targets are unknown, but the attack chain starts with Tiworker.exe masquerading as a legitimate Windows file and a PowerShell loader get.png to fetch additional modules. #GhostEngine #REF4578 #XMRig #Tiworker.exe #get.png #ElasticSecurity #Antiy
Keypoints
- The crypto mining operation is identified as REF4578 and uses GhostEngine to disable security defenses and deploy mining software.
- Tiworker.exe acts as the initial staging payload, masquerading as a legitimate Windows file to begin the infection chain.
- GhostEngine is a PowerShell-based loader that downloads additional modules after the initial entry.
- The loader downloads get.png from a C2 server to install and run GhostEngine modules.
- GhostEngine terminates EDR/defense tools using two vulnerable kernel drivers (aswArPots.sys and IObitUnlockers.sys) and clears event logs.
- Persistence is achieved via scheduled tasks (OneDriveCloudSync, DefaultBrowserUpdate, OneDriveCloudBackup) and a Windows service (msdtc) loading OCI.dll.
- Once established, GhostEngine downloads and launches smartsscreen.exe to run the XMRig miner and continue the infection lifecycle.
MITRE Techniques
- [T1059.001] PowerShell – GhostEngine uses a PowerShell script to download various modules and conduct actions on the device. “This executable is the initial staging payload for GhostEngine, a PowerShell script that downloads various modules to conduct different behaviors on an infected device.”
- [T1105] Ingress Tool Transfer – The loader get.png is downloaded from the attacker C2 and acts as GhostEngine’s primary loader. “get.png verifies… and creates scheduled tasks”
- [T1036] Masquerading – Tiworker.exe masquerades as a legitimate Windows file to initiate infection. “execution of a file named ‘Tiworker.exe,’ which masquerades as a legitimate Windows file.”
- [T1053.005] Scheduled Task – GhostEngine creates persistence via scheduled tasks named OneDriveCloudSync, DefaultBrowserUpdate, and OneDriveCloudBackup. “creates scheduled tasks named ‘OneDriveCloudSync,’ ‘DefaultBrowserUpdate,’ and ‘OneDriveCloudBackup,’ for persistence.”
- [T1543.003] Windows Service – Persistence achieved by loading OCI.dll through the Windows service msdtc. “a DLL named ‘oci.dll’ is loaded by a Windows service named ‘msdtc’.”
- [T1562.001] Impair Defenses – GhostEngine disables security tools (Windows Defender) and terminates EDR processes using vulnerable drivers. “to terminate EDR software” and “disables Windows Defender”
Indicators of Compromise
- [File] Tiworker.exe – masquerades as legitimate Windows file, forms initial staging payload. Tiworker.exe
- [File] get.png – PowerShell loader downloaded from C2 to install GhostEngine modules. get.png
- [File] smartsscreen.exe – primary payload launched by GhostEngine to terminate EDR and mine. smartsscreen.exe
- [Dll] oci.dll – loaded by Windows service msdtc for persistence and re-installation. oci.dll
- [Driver] aswArPots.sys – Avast driver used to terminate EDR processes. aswArPots.sys
- [Driver] IObitUnlockers.sys – Iobit driver used to delete the associated executable. IObitUnlockers.sys
- [Service] msdtc – Windows service that loads OCI.dll. msdtc
- [File] XMRig – cryptocurrency miner deployed after GhostEngine loads. XMRig
- [Task] OneDriveCloudSync, OneDriveCloudBackup, DefaultBrowserUpdate – scheduled tasks created for persistence. OneDriveCloudSync, OneDriveCloudBackup, DefaultBrowserUpdate