Security News > 2024 > May > GhostEngine mining attacks kill EDR security using vulnerable drivers
A malicious crypto mining campaign codenamed 'REF4578,' has been discovered deploying a malicious payload named GhostEngine that uses vulnerable drivers to turn off security products and deploy an XMRig miner.
Researchers at Elastic Security Labs and Antiy have underlined the unusual sophistication of these crypto-mining attacks in separate reports and shared detection rules to help defenders identify and stop them.
Exe, which acts as GhostEngine's primary payload. This malware is responsible for terminating and deleting EDR software and downloading and launching the XMRig to mine for cryptocurrency.
To terminate EDR software, GhostEngine loads two vulnerable kernel drivers: aswArPots.
Deploying vulnerable drivers and creating associated kernel mode services should be treated as red flags in any environment.
Elastic Security has also provided YARA rules in the report to help defenders identify GhostEngine infections.
News URL
Related news
- Stop LUCR-3 Attacks: Learn Key Identity Security Tactics in This Expert Webinar (source)
- T-Mobile US 'monitoring' China's 'industry-wide attack' amid fresh security breach fears (source)
- Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks (source)
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force (source)
- Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack (source)