Back

Unveiling a Crypto Mining Operation

May 22, 2024, 7:53 a.m.

Tags

xmrig
2024-05-22
cryptomining
ghostengine

External References

https://www.elastic.co/

https://otx.alienvault.com/

Description

This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and response (EDR) agents, enabling the successful deployment of the well-known XMRig miner. The operation incorporates numerous contingency mechanisms and redundancies to ensure the installation and persistence of the mining activity.

Date

Published Created Modified
May 22, 2024, 7:38 a.m. May 22, 2024, 7:38 a.m. May 22, 2024, 7:53 a.m.

Indicators

cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104

aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b

7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1

786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca

6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e

3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150

3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab

35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f

2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae

11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753

4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1

93.95.225.137

111.90.158.40

Attack Patterns

Ghostengine

ALF:HeraklezEval:Trojan:Win64/XMRigMiner

T1070.001

T1132.001

T1053.005

T1197

T1055.002

T1059.003

T1059.001

T1036.005

T1489

T1016

T1105