A new cryptojacking campaign is leveraging vulnerable drivers to disable security solutions on Windows systems. The campaign, referred to as “Bring Your Own Vulnerable Driver” (BYOVD), has been attributed to a threat actor tracked as REF4578. It employs a crypto-miner dubbed 'Ghostengine,' a report from Elastic Security Labs said.
The primary objective of REF4578 is to disable Endpoint Detection and Response (EDR) products to avoid detection. This campaign was separately detailed by Chinese cybersecurity firm Antiy Labs under the codename Hidden Shovel.
According to researchers, “Ghostengine leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner.”
The attack starts with an executable file named “Tiworker.exe,” which executes a PowerShell script. This script retrieves an obfuscated PowerShell script disguised as a PNG image (“get.png”) from a command-and-control (C2) server, fetching additional malicious payloads.
Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place. These modules include aswArPot.sys, IObitUnlockers.sys, curl.exe, smartsscreen.exe, oci.dll, backup.png, and kill.png. Ghostengine uses HTTP to download files from a configured domain, with an IP backup in case the domains are inaccessible, and employs FTP as a secondary download protocol.
The malware further attempts to disable Microsoft Defender Antivirus, clear various Windows event log channels, and ensure there is at least 10 MB of free space on the C:\ volume for downloading files, which are then stored in the C:\Windows\Fonts folder.
An analysis of the REF4578 XMRig configuration file revealed that the mining operation has yet to achieve significant success, totaling approximately $60.70 (January - March 2024).