Security News > 2024 > May > GhostEngine mining attacks kill EDR security using vulnerable drivers
A malicious crypto mining campaign codenamed 'REF4578,' has been discovered deploying a malicious payload named GhostEngine that uses vulnerable drivers to turn off security products and deploy an XMRig miner.
Researchers at Elastic Security Labs and Antiy have underlined the unusual sophistication of these crypto-mining attacks in separate reports and shared detection rules to help defenders identify and stop them.
Exe, which acts as GhostEngine's primary payload. This malware is responsible for terminating and deleting EDR software and downloading and launching the XMRig to mine for cryptocurrency.
To terminate EDR software, GhostEngine loads two vulnerable kernel drivers: aswArPots.
Deploying vulnerable drivers and creating associated kernel mode services should be treated as red flags in any environment.
Elastic Security has also provided YARA rules in the report to help defenders identify GhostEngine infections.
News URL
Related news
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks (source)
- EDRSilencer red team tool used in attacks to bypass security (source)
- Week in review: 87k+ Fortinet devices still open to attack, red teaming tool used for EDR evasion (source)
- ISC2 Security Congress 2024: The Landscape of Nation-State Cyber Attacks (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining (source)
- Stop LUCR-3 Attacks: Learn Key Identity Security Tactics in This Expert Webinar (source)