This devious malware can turn off your security protection without you even realizing — and then download a load of cryptominers
After terminating the AVs, REF4578 downloads cryptominers
Hackers have found a way to install cryptominers on your devices, even if you have an antivirus program installed.
The campaign was recently discovered by cybersecurity researchers from Elastic Security Labs and Antiy, who named it REF4578, but weren’t able to attribute it to any specific, or known, threat actor.
The campaign is carried out by dropping a vulnerable driver onto the endpoint, through which they are able to disable, and ultimately uninstall, any antivirus programs you might have installed on your device. Once that's done, the malware drops XMRig, one of the most popular cryptocurrency miners out there. Furthermore, the victims don’t seem to be targeted specifically, and it’s difficult to determine exactly how many computers were infected.
Mining cryptos
The researchers aren't sure exactly how the attackers are distributing the malware, but an educated guess would be either via phishing, social media and instant messaging, or through ad poisoning and impersonation.
Whatever the method, the victims will first get dropped an exe file named Tiworker, which masquerades as a legitimate Windows file. This file drops a powerShell script called GhostEngine which, in turn, runs a number of different activities.
Among them is to load two vulnerable kernel drivers: aswArPots.sys (Avast driver), used to terminate Endpoint Detection and Response (EDR) processes, and IObitUnlockers.sys (Iobit driver) which deletes the associated executable.
GhostEngine can also disable Windows Defender, enable remote services, and clear different Windows event logs.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
When the process is done, and the coast is clear, GhostEngine will end up deploying XMRig, a known cryptocurrency miner. This tool, popular among cybercriminals, secretly mines the Monero (XMR) cryptocurrency, famous for its privacy and pseudonymity.
To protect the endpoints, the researchers suggest IT teams look out for suspicious PowerShell executions, unusual process activity, and any network traffic pointing to cryptocurrency mining pools.
Via BleepingComputer
More from TechRadar Pro
- This evil malware disables your security software, then goes in for the kill
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.