Preamble
Elastic Security Labs has identified an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining. Additionally, the team discovered capabilities to establish persistence, install a previously undocumented backdoor, and execute a crypto-miner. We refer to this intrusion set as REF4578 and the primary payload as GHOSTENGINE (tangental research by the team at Antiy has named parts of this intrusion set HIDDENSHOVEL).
Key takeaways
- Malware authors incorporated many contingency and duplication mechanisms
- GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner
- This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRIG miner
Code analysis
On May 6, 2024, at 14:08:33 UTC, the execution of a PE file named Tiworker.exe
(masquerading as the legitimate Windows TiWorker.exe
file) signified the beginning of the REF4578 intrusion. The following alerts were captured in telemetry, indicating a known vulnerable driver was deployed.
Upon execution, this file downloads and executes a PowerShell script that orchestrates the entire execution flow of the intrusion. Analysis revealed that this binary executes a hardcoded PowerShell command line to retrieve an obfuscated script, get.png,
which is used to download further tools, modules, and configurations from the attacker C2– as depicted in the screenshot below.
GHOSTENGINE
GHOSTENGINE is responsible for retrieving and executing modules on the machine. It primarily uses HTTP to download files from a configured domain, with a backup IP in case domains are unavailable. Additionally, it employs FTP as a secondary protocol with embedded credentials. The following is a summary of the execution flow:
This script downloads and executes clearn.png
, a component designed to purge the system of remnants from prior infections belonging to the same family but different campaign; it removes malicious files under C:Program FilesCommon FilesSystemado
and C:PROGRA~1COMMON~1Systemado
and removes the following scheduled tasks by name:
Microsoft Assist Job
System Help Center Job
SystemFlushDns
SystemFlashDnsSrv
Evidence of those scheduled task artifacts may be indicators of a prior infection.
During execution, it attempts to disable Windows Defender and clean the following Windows event log channels:
Application
Security
Setup
System
Forwarded Events
Microsoft-Windows-Diagnostics-Performance
Microsoft-Windows-AppModel-Runtime/Operational
Microsoft-Windows-Winlogon/Operational
get.png
disables Windows Defender, enables remote services, and clears the contents of:
C:WindowsTemp
C:WindowsLogs
C:$Recycle.Bin
C:windowsZAM.krnl.trace
get.png
also verifies that the C:
volume has at least 10 MB of free space to download files, storing them in C:WindowsFonts
. If not, it will try to delete large files from the system before looking for another suitable volume with sufficient space and creating a folder under $RECYCLE.BINFonts
.
To get the current DNS resolution for the C2 domain names, GHOSTENGINE uses a hardcoded list of DNS servers, 1.1.1.1
and 8.8.8.8
.
Next, to establish persistence, get.png
creates the following scheduled tasks as SYSTEM
:
- OneDriveCloudSync using
msdtc
to run the malicious service DLLC:WindowsSystem32oci.dll
every 20 minutes (described later) - DefaultBrowserUpdate to run
C:UsersPublicrun.bat,
which downloads theget.png
script and executes it every 60 minutes - OneDriveCloudBackup to execute
C:WindowsFontssmartsscreen.exe
every 40 minutes
get.png
terminates all curl.exe
processes and any PowerShell process with *get.png*
in its command line, excluding the current process. This is a way to terminate any concurrently running instance of the malware.
This script then downloads config.txt
, a JSON file containing the hashes of the PE files it retrieved. This file verifies whether any updated binaries are to be downloaded by checking the hashes of the previously downloaded files from any past infections.
Finally, get.png
downloads all of its modules and various PE files. Below is a table containing a description of each downloaded file:
path | Type | Description |
---|---|---|
C:WindowsSystem32driversaswArPots.sys |
Kernel driver | Vulnerable driver from Avast |
C:WindowsSystem32driversIObitUnlockers.sys |
Kernel driver | Vulnerable driver from IObit |
C:WindowsFontscurl.exe |
PE executable | Used to download files via cURL |
C:WindowsFontssmartsscreen.exe |
PE executable | Core payload (GHOSTENGINE), its main purpose is to deactivate security instrumentation, complete initial infection, and execute the miner. |
C:WindowsSystem32oci.dll |
Service DLL | Persistence/updates module |
backup.png |
Powershell script | Backdoor module |
kill.png |
Powershell script | A PowerShell script that injects and executes a PE file responsible for killing security sensors |
GHOSTENGINE modules
GHOSTENGINE deploys several modules that can tamper with security tools, create a backdoor, and check for software updates.
EDR agent controller and miner module: smartsscreen.exe
This module primarily terminates any active EDR agent processes before downloading and installing a crypto-miner.
The malware scans and compares all the running processes with a hardcoded list of known EDR agents. If there are any matches, it first terminates the security agent by leveraging the Avast Anti-Rootkit Driver file aswArPots.sys
with the IOCTL 0x7299C004
to terminate the process by PID.
smartscreen.exe
is then used to delete the security agent binary with another vulnerable driver, iobitunlockers.sys
from IObit, with the IOCTL 0x222124
.
smartscreen.exe
then downloads the XMRig client mining program (WinRing0x64.png
) from the C2 server as taskhostw.png
. Finally, it executes XMRig, its drivers, and the configuration file config.json
, starting the mining process.
Update/Persistence module: oci.dll
The PowerShell script creates a service DLL (oci.dll
), a phantom DLL loaded by msdtc
. The DLL’s architecture varies depending on the machine; it can be 32-bit or 64-bit. Its primary function is to create system persistence and download any updates from the C2 servers by downloading the get.png
script from the C2 and executing it.
Every time the msdtc
service starts, it will load oci.dll
to spawn the PowerShell one-liner that executes get.png
:
EDR agent termination module: kill.png
kill.png
is a PowerShell script that injects shellcode into the current process, decrypting and loading a PE file into memory.
This module is written in C++, and the authors have integrated redundancy into its operation. This redundancy is evident in the replication of the technique used in smartsscreen.exe
to terminate and delete EDR agent binaries; it continuously scans for any new processes.
Powershell backdoor module: backup.png
The PowerShell script functions like a backdoor, enabling remote command execution on the system. It continually sends a Base64-encoded JSON object containing a unique ID, derived from the current time and the computer name while awaiting base64-encoded commands. The results of those commands are then sent back.
In this example eyJpZCI6IjE3MTU2ODYyNDA3MjYyNiIsImhvc3QiOiJhbmFseXNpcyJ9
is the Base64-encoded JSON object:
$ echo "eyJpZCI6IjE3MTU2ODYyNDA3MjYyNiIsImhvc3QiOiJhbmFseXNpcyJ9" | base64 -D
{"id":"171568624072626","host":"analysis"}
Miner configuration
XMRig is a legitimate crypto miner, and they have documented the configuration file usage and elements here. As noted at the beginning of this publication, the ultimate goal of the REF4578 intrusion set was to gain access to an environment and deploy a persistent Monero crypto miner, XMRig.
We extracted the configuration file from the miner, which was tremendously valuable as it allowed us to report on the Monero Payment ID and track the worker and pool statistics, mined cryptocurrency, transaction IDs, and withdrawals.
Below is an excerpt from the REF4578 XMRig configuration file:
{
"autosave": false,
"background": true,
"colors": true,
...truncated...
"donate-level": 0,
"donate-over-proxy": 0,
"pools": [
{
"algo": "rx/0",
"coin": "monero",
"url": "pool.supportxmr[.]com:443",
"user": "468ED2Qcchk4shLbD8bhbC3qz2GFXqjAUWPY3VGbmSM2jfJw8JpSDDXP5xpkMAHG98FHLmgvSM6ZfUqa9gvArUWP59tEd3f",
"keepalive": true,
"tls": true
...truncated...
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
"verbose": 0,
"watch": true,
"pause-on-battery": false,
"pause-on-active": false
}
Monero Payment ID
Monero is a blockchain cryptocurrency focusing on obfuscation and fungibility to ensure anonymity and privacy. The Payment ID is an arbitrary and optional transaction attachment that consists of 32 bytes (64 hexadecimal characters) or 8 bytes (in the case of integrated addresses).
Using the Payment ID from the above configuration excerpt (468ED2Qcchk4shLbD8bhbC3qz2GFXqjAUWPY3VGbmSM2jfJw8JpSDDXP5xpkMAHG98FHLmgvSM6ZfUqa9gvArUWP59tEd3f
) we can view the worker and pool statistics on one of the Monero Mining Pool sites listed in the configuration.
Additionally, we can see the transaction hashes, which we can look up on the Monero blockchain explorer. Note that while transactions date back four months ago, this only indicates the potential monetary gain by this specific worker and account.
Using the Blockchain Explorer and one of the transaction hashes we got from the Payment ID, we can see the public key, the amount is withdrawn, and when. Note that these public keys are used with one-time addresses, or stealth addresses that the adversary would then use a private key with to unlock the funds.
In the above example for transaction 7c106041de7cc4c86cb9412a43cb7fc0a6ad2c76cfdb0e03a8ef98dd9e744442
we can see that there was a withdrawal of 0.109900000000
XMR (the abbreviation for Monero) totaling $14.86 USD. The Monerao Mining Pool site shows four transactions of approximately the same amount of XMR, totaling approximately $60.70 USD (January – March 2024).
As of the publication of this research, there are still active miners connected to the REF4578 Payment ID.
While this specific Payment ID does not appear to be a big earner, it is evident that REF4578 could operate this intrusion set successfully. Other victims of this campaign could have different Payment IDs used to track intrusions, which could be combined for a larger overall haul.
Malware and MITRE ATT&CK
Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that threats use against enterprise networks.
Tactics
Tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.
Techniques
Techniques represent how an adversary achieves a tactical goal by performing an action.
Mitigating GHOSTENGINE
Detection
The first objective of the GHOSTENGINE malware is to incapacitate endpoint security solutions and disable specific Windows event logs, such as Security and System logs, which record process creation and service registration. Therefore, it is crucial to prioritize the detection and prevention of these initial actions:
- Suspicious PowerShell execution
- Execution from unusual directories
- Elevating privileges to system integrity
- Deploying vulnerable drivers and establishing associated kernel mode services.
Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must find compromised endpoints that stop transmitting logs to their SIEM.
Network traffic may generate and be identifiable if DNS record lookups point to known mining pool domains over well-known ports such as HTTP (80
) and HTTPS (443
). Stratum is also another popular network protocol for miners, by default, over port 4444
.
The analysis of this intrusion set revealed the following detection rules and behavior prevention events:
Prevention
Malicious Files Prevention :
Shellcode Injection Prevention:
Vulnerable Drivers file creation prevention (Windows.VulnDriver.ArPot and Windows.VulnDriver.IoBitUnlocker )
YARA
Elastic Security has created YARA rules to identify this activity.
Observations
All observables are also available for download in both ECS and STIX format.
The following observables were discussed in this research.
Observable | Type | Name | Reference |
---|---|---|---|
2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753 |
SHA-256 | C:WindowsFontssmartsscreen.exe |
GHOSTENGINE EDR controller module |
4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 |
SHA-256 | C:WindowsSystem32driversaswArPots.sys |
Avast vulnerable driver |
2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae |
SHA-256 | C:WindowsSystem32driversIObitUnlockers.sys |
Iobit vulnerable driver |
3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150 |
SHA-256 | C:WindowsSystem32oci.dll |
Update/Persistence module (64-bit) |
3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab |
SHA-256 | C:WindowsSystem32oci.dll |
Update/Persistence module (32-bit) |
35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f |
SHA-256 | C:WindowsFontstaskhostw.exe |
Miner client |
786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca |
SHA-256 | C:WindowsFontsconfig.json |
Miner configuration file |
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
SHA-256 | C:WindowsFontsWinRing0x64.sys |
Miner driver |
aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b |
SHA-256 | C:ProgramDataMicrosoftDeviceSyncSystemSyncTiworker.exe |
Initial stager |
6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e |
SHA-256 | backup.png |
GHOSTENGINE backdoor module |
7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1 |
SHA-256 | get.png |
GHOSTENGINE loader |
cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104 |
SHA-256 | kill.png |
GHOSTENGINE EDR termination module |
download.yrnvtklot[.]com |
domain | C2 server | |
111.90.158[.]40 |
ipv4-addr | C2 server | |
ftp.yrnvtklot[.]com |
domain | C2 server | |
93.95.225[.]137 |
ipv4-addr | C2 server | |
online.yrnvtklot[.]com |
domain | C2 server |
References
The following were referenced throughout the above research:
Source: https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine