Invisible miners: unveiling GHOSTENGINE’s crypto mining operations — Elastic Security Labs

MITRE Techniques

• [T1036] Masquerading – The malware attempts to masquerade TiWorker as the legitimate Windows TiWorker.exe file. – “the execution of a PE file named Tiworker.exe (masquerading as the legitimate Windows TiWorker.exe file) signified the beginning of the REF4578 intrusion.”
• [T1059.001] PowerShell – It uses a PowerShell-based chain to orchestrate the intrusion and fetch additional payloads. – “downloads and executes a PowerShell script that orchestrates the entire execution flow of the intrusion. Analysis revealed that this binary executes a hardcoded PowerShell command line to retrieve an obfuscated script, get.png, which is used to download further tools, modules, and configurations from the attacker C2.”
• [T1027] Obfuscated/Compressed Files and Information – The PowerShell one-liner retrieves an obfuscated script. – “a hardcoded PowerShell command line to retrieve an obfuscated script, get.png.”
• [T1105] Ingress Tool Transfer – get.png is used to download additional tools and configurations from the C2. – “get.png, which is used to download further tools, modules, and configurations from the attacker C2.”
• [T1071.001] Web Protocols – GHOSTENGINE primarily uses HTTP/HTTPS to download files from the C2. – “GHOSTENGINE is responsible for retrieving and executing modules on the machine. It primarily uses HTTP to download files from a configured domain.”
• [T1071.004] DNS – The malware uses a hardcoded DNS list to resolve C2 domains. – “To get the current DNS resolution for the C2 domain names, GHOSTENGINE uses a hardcoded list of DNS servers, 1.1.1.1 and 8.8.8.8.”
• [T1562.001] Impair Defenses – The malware disables Windows Defender and cleans security logs. – “During execution, it attempts to disable Windows Defender and clean the following Windows event log channels.”
• [T1053.005] Scheduled Task – get.png creates persistence via tasks like OneDriveCloudSync and DefaultBrowserUpdate. – “Next, to establish persistence, get.png creates the following scheduled tasks as SYSTEM: OneDriveCloudSync … every 20 minutes; DefaultBrowserUpdate … every 60 minutes; OneDriveCloudBackup … every 40 minutes.”
• [T1543.003] Create/Modify System Process (Windows Service) – oci.dll is created as a service DLL and used to spawn get.png. – “The PowerShell script creates the following service DLL (oci.dll), a phantom DLL loaded by msdtc.”
• [T1055] Process Injection – kill.png injects shellcode into the current process. – “kill.png is a PowerShell script that injects shellcode into the current process, decrypting and loading a PE file into memory.”
• [T1055.012] Kernel/User Interaction – EDR termination relies on vulnerable drivers to terminate security agents (process termination via IOCTL). – “scans and compares all the running processes with a hardcoded list of known EDR agents. If there are any matches, it first terminates the security agent by leveraging the Avast Anti-Rootkit Driver file aswArPots.sys with the IOCTL 0x7299C004 to terminate the process by PID.”
• [T1105] Ingress Tool Transfer (loader) – The loader fetches modules and PEs (e.g., get.png, config.txt, etc.). – “get.png downloads all of its modules and various PE files.”
• [T1037] Microsoft Windows Utilities – The loader uses system utilities and a service to orchestrate loader operations. – “msdtc to run the malicious service DLL C:WindowsSystem32oci.dll every 20 minutes”