Researchers from Kaspersky Lab have discovered a new fileless crypto-miner, called PowerGhost, that is able to stealthily establish itself in a system, and spread across corporate networks infecting both workstations and servers.
According to the company, this type of activity is typical of miners, as their profits grow the longer they spend on the network, and with each machine they infect. "It's not uncommon to see clean software being infected with a miner. The popularity of the legitimate software serves to promote the malware's proliferation."
PowerGhost uses multiple fileless techniques to discreetly gain a foothold in corporate networks, meaning that the miner does not store its body directly onto a disk, increasing the complexity of its detection and remediation.
"This is the latest in a worrying trend of cybercriminals increasingly using miners in targeted attacks, in their pursuit of money. As this trend grows, enterprises will be put at risk, as miners sabotage and slow down their computer networks, damaging overall business processes and lining their own pockets in the process," Kaspersky says.
How it works
PowerGhost is an obfuscated PowerShell script that contains the core code, as well as several add-on modules.
The malware employs a variety of fileless techniques to remain out of sight of the user and undetected by antivirus solutions. The target machine is infected remotely using exploits or remote administration tools. During infection, a one-line PowerShell script is run that downloads the miner's body and immediately launches it without writing it to the hard drive.
Following this, the PowerGhost does various things. It automatically self-updates, checking if a new version is available on the command & control server. If there is, it downloads the new version and launches it instead of itself.
The miner then obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself. It also tries to spread across the local network using the EternalBlue exploit, which was used during the notorious WannaCry attacks.
Vladas Bulavas, malware analyst at Kaspersky Lab, says: "PowerGhost attacks on businesses for the purpose of installing miners raise new concerns about crypto-mining software. The miner we examined indicates that targeting users is not enough; cybercriminals are now turning their attention to enterprises too."
The main victims of this attack so far have been corporate users in Brazil, Colombia, India, and Turkey.
To reduce the risk of infection with miners, Kaspersky Lab advises users to keep all software on all devices updated. Next, it says to not overlook less obvious targets, such as queue management systems, POS terminals, and even vending machines. "Such equipment can also be hijacked to mine crypto-currency."
In addition, it advises to use a dedicated security solution that is empowered with application control, behaviour detection, and exploit prevention components that monitor the suspicious actions of applications and block malicious file executions, and to protect the corporate environment by educating employees and IT teams.
Finally, Kaspersky says to keep sensitive data separate, and enforce the principle of least privilege.
Share