Hackers have found a way to install cryptominers on your devices, even if you have an antivirus program installed.
The campaign was recently discovered by cybersecurity researchers at Elastic Security Labs and Antiy, who named it REF4578, but were unable to attribute it to any specific or known threat actors.
The campaign is carried out by placing a vulnerable driver on the endpoint, through which they can disable and ultimately uninstall any antivirus programs you may have installed on your device. Once this is done, the malware removes XMRig, one of the most popular cryptocurrency miners out there. Additionally, victims do not appear to be specifically targeted and it is difficult to determine exactly how many computers were infected.
Mining cryptocurrencies
Researchers aren't sure exactly how attackers distribute the malware, but an educated guess would be through phishing, social media and instant messaging, or through poison advertising and phishing.
Whatever the method, victims will first drop an exe file called Tiworker, which masquerades as a legitimate Windows file. This file places a PowerShell script called GhostEngine which in turn runs several different activities.
These include loading two vulnerable kernel drivers: aswArPots.sys (Avast driver), used to terminate Endpoint Detection and Response (EDR) processes, and IObitUnlockers.sys (Iobit driver), which removes the associated executable.
GhostEngine can also disable Windows Defender, enable remote services, and clear different Windows event logs.
When the process is finished and there are no defaults on the coast, GhostEngine will end up implementing XMRig, a well-known cryptocurrency miner. Popular among cybercriminals, this tool secretly mines the famously private and pseudonymous cryptocurrency Monero (XMR).
To protect endpoints, researchers suggest IT teams keep an eye out for suspicious PowerShell executions, unusual process activity, and any network traffic pointing to cryptocurrency mining pools.
Via BleepingComputer
