Unveiling a Crypto Mining Operation

May 22, 2024, 7:53 a.m.

Description

This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and response (EDR) agents, enabling the successful deployment of the well-known XMRig miner. The operation incorporates numerous contingency mechanisms and redundancies to ensure the installation and persistence of the mining activity.

External References

https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine
https://otx.alienvault.com/pulse/664da1082276eb73877c725b
Tags
xmrig
2024-05-22
cryptomining
ghostengine

Date

  • Created: May 22, 2024, 7:38 a.m.
  • Published: May 22, 2024, 7:38 a.m.
  • Modified: May 22, 2024, 7:53 a.m.

Indicators

  • cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104
  • aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b
  • 7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1
  • 786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca
  • 6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e
  • 3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150
  • 3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab
  • 35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f
  • 2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae
  • 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
  • 2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753
  • 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1
  • 93.95.225.137
  • 111.90.158.40
  • ftp.yrnvtklot.com
  • online.yrnvtklot.com
  • download.yrnvtklot.com
Download all indicators here!

Attack Patterns

  • Ghostengine
  • ALF:HeraklezEval:Trojan:Win64/XMRigMiner