Invisible miners: unveiling GHOSTENGINE’s crypto mining operations

Preamble

Elastic Security Labs has identified an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining. Additionally, the team discovered capabilities to establish persistence, install a previously undocumented backdoor, and execute a crypto-miner. We refer to this intrusion set as REF4578 and the primary payload as GHOSTENGINE (tangental research by the team at Antiy has named parts of this intrusion set HIDDENSHOVEL).

Key takeaways

• Malware authors incorporated many contingency and duplication mechanisms
• GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner
• This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRIG miner

Code analysis

On May 6, 2024, at 14:08:33 UTC, the execution of a PE file named Tiworker.exe (masquerading as the legitimate Windows TiWorker.exe file) signified the beginning of the REF4578 intrusion. The following alerts were captured in telemetry, indicating a known vulnerable driver was deployed.

Upon execution, this file downloads and executes a PowerShell script that orchestrates the entire execution flow of the intrusion. Analysis revealed that this binary executes a hardcoded PowerShell command line to retrieve an obfuscated script, get.png, which is used to download further tools, modules, and configurations from the attacker C2– as depicted in the screenshot below.

GHOSTENGINE

GHOSTENGINE is responsible for retrieving and executing modules on the machine. It primarily uses HTTP to download files from a configured domain, with a backup IP in case domains are unavailable. Additionally, it employs FTP as a secondary protocol with embedded credentials. The following is a summary of the execution flow:

This script downloads and executes clearn.png, a component designed to purge the system of remnants from prior infections belonging to the same family but different campaign; it removes malicious files under C:\Program Files\Common Files\System\ado and C:\PROGRA~1\COMMON~1\System\ado\ and removes the following scheduled tasks by name:

• Microsoft Assist Job
• System Help Center Job
• SystemFlushDns
• SystemFlashDnsSrv

Evidence of those scheduled task artifacts may be indicators of a prior infection.

During execution, it attempts to disable Windows Defender and clean the following Windows event log channels:

• Application
• Security
• Setup
• System
• Forwarded Events
• Microsoft-Windows-Diagnostics-Performance
• Microsoft-Windows-AppModel-Runtime/Operational
• Microsoft-Windows-Winlogon/Operational

get.png disables Windows Defender, enables remote services, and clears the contents of:

• C:\Windows\Temp\
• C:\Windows\Logs\
• C:\$Recycle.Bin\
• C:\windows\ZAM.krnl.trace

get.png also verifies that the C:\ volume has at least 10 MB of free space to download files, storing them in C:\Windows\Fonts. If not, it will try to delete large files from the system before looking for another suitable volume with sufficient space and creating a folder under $RECYCLE.BIN\Fonts.

To get the current DNS resolution for the C2 domain names, GHOSTENGINE uses a hardcoded list of DNS servers, 1.1.1.1 and 8.8.8.8.

Next, to establish persistence, get.png creates the following scheduled tasks as SYSTEM:

• OneDriveCloudSync using msdtc to run the malicious service DLL C:\Windows\System32\oci.dll every 20 minutes (described later)
• DefaultBrowserUpdate to run C:\Users\Public\run.bat, which downloads the get.png script and executes it every 60 minutes
• OneDriveCloudBackup to execute C:\Windows\Fonts\smartsscreen.exe every 40 minutes

get.png terminates all curl.exe processes and any PowerShell process with *get.png* in its command line, excluding the current process. This is a way to terminate any concurrently running instance of the malware.

This script then downloads config.txt, a JSON file containing the hashes of the PE files it retrieved. This file verifies whether any updated binaries are to be downloaded by checking the hashes of the previously downloaded files from any past infections.

Finally, get.png downloads all of its modules and various PE files. Below is a table containing a description of each downloaded file:

GHOSTENGINE modules

GHOSTENGINE deploys several modules that can tamper with security tools, create a backdoor, and check for software updates.

EDR agent controller and miner module: smartsscreen.exe

This module primarily terminates any active EDR agent processes before downloading and installing a crypto-miner.

The malware scans and compares all the running processes with a hardcoded list of known EDR agents. If there are any matches, it first terminates the security agent by leveraging the Avast Anti-Rootkit Driver file aswArPots.sys with the IOCTL 0x7299C004 to terminate the process by PID.

smartscreen.exe is then used to delete the security agent binary with another vulnerable driver, iobitunlockers.sys from IObit, with the IOCTL 0x222124.

smartscreen.exe then downloads the XMRig client mining program (WinRing0x64.png) from the C2 server as taskhostw.png. Finally, it executes XMRig, its drivers, and the configuration file config.json, starting the mining process.

Update/Persistence module: oci.dll

The PowerShell script creates a service DLL (oci.dll), a phantom DLL loaded by msdtc. The DLL's architecture varies depending on the machine; it can be 32-bit or 64-bit. Its primary function is to create system persistence and download any updates from the C2 servers by downloading the get.png script from the C2 and executing it.

Every time the msdtc service starts, it will load oci.dll to spawn the PowerShell one-liner that executes get.png :

EDR agent termination module: kill.png

kill.png is a PowerShell script that injects shellcode into the current process, decrypting and loading a PE file into memory.

This module is written in C++, and the authors have integrated redundancy into its operation. This redundancy is evident in the replication of the technique used in smartsscreen.exe to terminate and delete EDR agent binaries; it continuously scans for any new processes.

Powershell backdoor module: backup.png

The PowerShell script functions like a backdoor, enabling remote command execution on the system. It continually sends a Base64-encoded JSON object containing a unique ID, derived from the current time and the computer name while awaiting base64-encoded commands. The results of those commands are then sent back.

In this example eyJpZCI6IjE3MTU2ODYyNDA3MjYyNiIsImhvc3QiOiJhbmFseXNpcyJ9 is the Base64-encoded JSON object:

$ echo "eyJpZCI6IjE3MTU2ODYyNDA3MjYyNiIsImhvc3QiOiJhbmFseXNpcyJ9" | base64 -D
{"id":"171568624072626","host":"analysis"}

Miner configuration

XMRig is a legitimate crypto miner, and they have documented the configuration file usage and elements here. As noted at the beginning of this publication, the ultimate goal of the REF4578 intrusion set was to gain access to an environment and deploy a persistent Monero crypto miner, XMRig.

We extracted the configuration file from the miner, which was tremendously valuable as it allowed us to report on the Monero Payment ID and track the worker and pool statistics, mined cryptocurrency, transaction IDs, and withdrawals.

Below is an excerpt from the REF4578 XMRig configuration file:

{
    "autosave": false,
    "background": true,
    "colors": true,

...truncated...

    "donate-level": 0,
    "donate-over-proxy": 0,
    "pools": [
        {
            "algo": "rx/0",
            "coin": "monero",
            "url": "pool.supportxmr[.]com:443",
            "user": "468ED2Qcchk4shLbD8bhbC3qz2GFXqjAUWPY3VGbmSM2jfJw8JpSDDXP5xpkMAHG98FHLmgvSM6ZfUqa9gvArUWP59tEd3f",
            "keepalive": true,
            "tls": true

...truncated...

    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
    "verbose": 0,
    "watch": true,
    "pause-on-battery": false,
    "pause-on-active": false
}

Monero Payment ID

Monero is a blockchain cryptocurrency focusing on obfuscation and fungibility to ensure anonymity and privacy. The Payment ID is an arbitrary and optional transaction attachment that consists of 32 bytes (64 hexadecimal characters) or 8 bytes (in the case of integrated addresses).

Using the Payment ID from the above configuration excerpt (468ED2Qcchk4shLbD8bhbC3qz2GFXqjAUWPY3VGbmSM2jfJw8JpSDDXP5xpkMAHG98FHLmgvSM6ZfUqa9gvArUWP59tEd3f) we can view the worker and pool statistics on one of the Monero Mining Pool sites listed in the configuration.

Additionally, we can see the transaction hashes, which we can look up on the Monero blockchain explorer. Note that while transactions date back four months ago, this only indicates the potential monetary gain by this specific worker and account.

Using the Blockchain Explorer and one of the transaction hashes we got from the Payment ID, we can see the public key, the amount is withdrawn, and when. Note that these public keys are used with one-time addresses, or stealth addresses that the adversary would then use a private key with to unlock the funds.

In the above example for transaction 7c106041de7cc4c86cb9412a43cb7fc0a6ad2c76cfdb0e03a8ef98dd9e744442 we can see that there was a withdrawal of 0.109900000000 XMR (the abbreviation for Monero) totaling $14.86 USD. The Monerao Mining Pool site shows four transactions of approximately the same amount of XMR, totaling approximately $60.70 USD (January - March 2024).

As of the publication of this research, there are still active miners connected to the REF4578 Payment ID.

While this specific Payment ID does not appear to be a big earner, it is evident that REF4578 could operate this intrusion set successfully. Other victims of this campaign could have different Payment IDs used to track intrusions, which could be combined for a larger overall haul.

Malware and MITRE ATT&CK

Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that threats use against enterprise networks.

Tactics

Tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.

• Execution
• Persistence
• Defense Evasion
• Discovery
• Command and Control
• Exfiltration
• Impact

Techniques

Techniques represent how an adversary achieves a tactical goal by performing an action.

• Command and Scripting Interpreter: PowerShell
• Command and Scripting Interpreter: Windows Command Shell
• Scheduled Task/Job: Scheduled Task
• Indicator Removal: Clear Windows Event Logs
• Masquerading
• Process Injection
• Process Discovery
• Exfiltration Over C2 Channel
• Data Encoding
• Resource Hijacking
• Service Stop

Mitigating GHOSTENGINE

Detection

The first objective of the GHOSTENGINE malware is to incapacitate endpoint security solutions and disable specific Windows event logs, such as Security and System logs, which record process creation and service registration. Therefore, it is crucial to prioritize the detection and prevention of these initial actions:

• Suspicious PowerShell execution
• Execution from unusual directories
• Elevating privileges to system integrity
• Deploying vulnerable drivers and establishing associated kernel mode services.

Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must find compromised endpoints that stop transmitting logs to their SIEM.

Network traffic may generate and be identifiable if DNS record lookups point to known mining pool domains over well-known ports such as HTTP (80) and HTTPS (443). Stratum is also another popular network protocol for miners, by default, over port 4444.

The analysis of this intrusion set revealed the following detection rules and behavior prevention events:

• Suspicious PowerShell Downloads
• Service Control Spawned via Script Interpreter
• Local Scheduled Task Creation
• Process Execution from an Unusual Directory
• Svchost spawning Cmd
• Unusual Parent-Child Relationship
• Clearing Windows Event Logs
• Microsoft Windows Defender Tampering
• Potential Privilege Escalation via Missing DLL
• Binary Masquerading via Untrusted Path

Prevention

Malicious Files Prevention :

Shellcode Injection Prevention:

Vulnerable Drivers file creation prevention (Windows.VulnDriver.ArPot and Windows.VulnDriver.IoBitUnlocker )

YARA

Elastic Security has created YARA rules to identify this activity.

• Windows Trojan GHOSTENGINE
• Windows.VulnDriver.ArPot
• Windows.VulnDriver.IoBitUnlocker

Observations

All observables are also available for download in both ECS and STIX format.

The following observables were discussed in this research.

References

The following were referenced throughout the above research:

• https://www.antiy.com/response/HideShoveling.html