This devious malware can turn off your security protection without you even realizing — and then download a load of cryptominers

Antivirus software
(Image credit: Shutterstock)

Hackers have found a way to install cryptominers on your devices, even if you have an antivirus program installed. 

The campaign was recently discovered by cybersecurity researchers from Elastic Security Labs and Antiy, who named it REF4578, but weren’t able to attribute it to any specific, or known, threat actor. 

The campaign is carried out by dropping a vulnerable driver onto the endpoint, through which they are able to disable, and ultimately uninstall, any antivirus programs you might have installed on your device. Once that's done, the malware drops XMRig, one of the most popular cryptocurrency miners out there. Furthermore, the victims don’t seem to be targeted specifically, and it’s difficult to determine exactly how many computers were infected.

Mining cryptos

The researchers aren't sure exactly how the attackers are distributing the malware, but an educated guess would be either via phishing, social media and instant messaging, or through ad poisoning and impersonation.

Whatever the method, the victims will first get dropped an exe file named Tiworker, which masquerades as a legitimate Windows file. This file drops a powerShell script called GhostEngine which, in turn, runs a number of different activities. 

Among them is to load two vulnerable kernel drivers: aswArPots.sys (Avast driver), used to terminate Endpoint Detection and Response (EDR) processes, and IObitUnlockers.sys (Iobit driver) which deletes the associated executable.

GhostEngine can also disable Windows Defender, enable remote services, and clear different Windows event logs. 

When the process is done, and the coast is clear, GhostEngine will end up deploying XMRig, a known cryptocurrency miner. This tool, popular among cybercriminals, secretly mines the Monero (XMR) cryptocurrency, famous for its privacy and pseudonymity. 

To protect the endpoints, the researchers suggest IT teams look out for suspicious PowerShell executions, unusual process activity, and any network traffic pointing to cryptocurrency mining pools.

Via BleepingComputer

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.