Unveiling a Crypto Mining Operation
May 22, 2024, 7:53 a.m.
Tags
External References
Description
This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and response (EDR) agents, enabling the successful deployment of the well-known XMRig miner. The operation incorporates numerous contingency mechanisms and redundancies to ensure the installation and persistence of the mining activity.
Date
Published: May 22, 2024, 7:38 a.m.
Created: May 22, 2024, 7:38 a.m.
Modified: May 22, 2024, 7:53 a.m.
Indicators
cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104
aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b
7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1
786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca
6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e
3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150
3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab
35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f
2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753
4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1
93.95.225.137
111.90.158.40
ftp.yrnvtklot.com
online.yrnvtklot.com
download.yrnvtklot.com
Attack Patterns
Ghostengine
ALF:HeraklezEval:Trojan:Win64/XMRigMiner
T1070.001
T1132.001
T1053.005
T1197
T1055.002
T1059.003
T1059.001
T1036.005
T1489
T1016
T1105