Skip to content

New REF4578 intrusion set exploits vulnerable drivers for crypto mining

  • by
  • 4 min read

A sophisticated intrusion set known as REF4578 has been discovered, which exploits vulnerable drivers to disable security solutions and deploy a primary payload named Ghost engine. The attack also includes several modules designed to establish persistence, execute a backdoor, and install XMRIG crypto-miner, adding to its complexity and threat level.

The ultimate goal of REF4578 is to deploy a persistent Monero crypto miner. Cybersecurity experts’ analysis of the miner’s configuration revealed details about the Monero Payment ID, enabling mining activity tracking. While the specific Payment ID analysis showed modest earnings, it indicates the potential for significant monetary gains across multiple victims.

Cybersecurity researchers found that the malware authors have integrated multiple redundancy and contingency measures. The campaign showed a degree of sophistication to ensure both the installation and persistence of the XMRIG miner. Also, Ghostengine leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents.

Source: Elastic Security Labs

The intrusion began on May 6, 3034, with the execution of a PE file named Tiworker.exe, which masqueraded as the legitimate Windows TiWorker.exe file. This file initiated the infection chain by deploying a vulnerable driver, leading to further malicious activities.

Upon execution, Tiworker.exe downloads and executes a PowerShell script, which orchestrates the entire attack. This script retrieves an obfuscated script, ‘get.png’, from the attacker’s Command and Control (C2) server. ‘Get.png’ downloads additional tools, modules, and configuration necessary for the intrusion.

Researchers also found that Ghostengine is responsible for retrieving and executing various modules. It primarily uses HTTP for downloading files, with FTP as a secondary protocol.

“Ghostengine is responsible for retrieving and executing modules on the machine. It primarily uses HTTP to download files from a configured domain, with a backup IP in case domains are unavailable. Additionally, it employs FTP as a secondary protocol with embedded credentials,” said researchers.

Get.png disabling Windows Defender. | Source: Elastic Security Labs

Notable components of Ghostengine include:

  • clearn.png: Cleans the system of remnants from previous infections and disables Windows Defender.
  • smartscreen.exe: Terminates EDR agents and downloads the XMRIG mining client.
  • oci.dll: Ensures persistence by creating scheduled tasks.
  • kill.png: A PowerShell script that terminates security sensors.
  • backup.png: Functions as a backdoor for remote command execution.

To maintain persistence, ‘get.png’ crates several scheduled tasks, including:

  • OneDriveCloudSync: Runs a malicious service DLL every 20 minutes.
  • DefaultBrowserUpdate: Downloads and executes the ‘get.png’ script every 60 minutes.
  • OnceDriveCloudBackup: Executes ‘smartscreen.exe’ every 40 minutes.
Worker and pool statistics of the REF4578 Payment ID | Source: Elastic Security Labs

The authors designed the smart screen module to terminate any active EDR agent process using the Avast Anti-Rootkit Driver and the IObit Unclocker driver. It then downloads and executes the XMRIG mining client, initiating the mining process.

The oci.dll service DLL, loaded by MSDTC, downloads updates from the C2 servers. It ensures continuous execution of the ‘get.png’ script, maintaining the malware’s presence and functionality.

Researchers have urged organisations to deploy upgraded security measures as Ghostengine disables Windows event logs, including the Security and System logs. Therefore, organisations should detect and report any action related to suspicious PowerShell execution, execution from unusual directors, privilege elevation, or deployment of vulnerable drivers.

“Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organisations must find compromised endpoints that stop transmitting logs to their SIEM,” warned researchers.

In the News: Julian Assange wins extradition appeal in London High Court

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>