Security News > 2024 > May > GhostEngine mining attacks kill EDR security using vulnerable drivers
A malicious crypto mining campaign codenamed 'REF4578,' has been discovered deploying a malicious payload named GhostEngine that uses vulnerable drivers to turn off security products and deploy an XMRig miner.
Researchers at Elastic Security Labs and Antiy have underlined the unusual sophistication of these crypto-mining attacks in separate reports and shared detection rules to help defenders identify and stop them.
Exe, which acts as GhostEngine's primary payload. This malware is responsible for terminating and deleting EDR software and downloading and launching the XMRig to mine for cryptocurrency.
To terminate EDR software, GhostEngine loads two vulnerable kernel drivers: aswArPots.
Deploying vulnerable drivers and creating associated kernel mode services should be treated as red flags in any environment.
Elastic Security has also provided YARA rules in the report to help defenders identify GhostEngine infections.
News URL
Related news
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force (source)
- Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack (source)
- Cross-Domain Attacks: A Growing Threat to Modern Security and How to Combat Them (source)
- Patch Tuesday: January 2025 Security Update Patches Exploited Elevation of Privilege Attacks (source)
- Balancing usability and security in the fight against identity-based attacks (source)
- Security pros more confident about fending off ransomware, despite being battered by attacks (source)