GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

22-May-24

Researchers have discovered a cryptojacking campaign called GHOSTENGINE by Elastic Security Labs and HIDDEN SHOVEL by Antiy Labs. This campaign uses a BYOVD (Bring Your Own Vulnerable Driver) attack to bypass security solutions and install the XMRig miner. The attack begins with “Tiworker.exe,” which runs a PowerShell script to fetch obfuscated payloads from a C2 server, disguised as a PNG image. These payloads include vulnerable drivers and tools that disable Microsoft Defender, clear event logs, and create sufficient disk space for malware deployment by hiding files in the C:\Windows\Fonts folder. The campaign’s complexity ensures the successful installation and persistence of the miner.

Read More…