Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions (EDRs) and thwart detection in what's called a Bring Your Own Vulnerable Driver (BYOVD) attack.
Elastic Security Labs is tracking the campaign under the name REF4578 and the primary payload as GHOSTENGINE. Previous research from Chinese cybersecurity firm Antiy Labs has codenamed the activity as HIDDEN SHOVEL.
"GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner," Elastic researchers Salim Bitam, Samir Bousseaden, Terrance DeJesus, and Andrew Pease said.
"This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRig miner."
It all starts with an executable file ("Tiworker.exe"), which is used to run a PowerShell script that retrieves an obfuscated PowerShell script that masquerades as a PNG image ("get.png") to fetch additional payloads from a command-and-control (C2) server.
These modules – aswArPot.sys, IObitUnlockers.sys, curl.exe, smartsscreen.exe, oci.dll, backup.png, and kill.png – are launched on the infected host after downloading them over HTTP from either the configured C2 server or a backup server in case the domains are unavailable. It also incorporates an FTP-based fallback mechanism.
Furthermore, the malware attempts to disable Microsoft Defender Antivirus, clear several Windows event log channels, and makes sure that the C:\ volume has at least 10 MB of free space to download files, which are then stashed in the C:\Windows\Fonts folder.
"If not, it will try to delete large files from the system before looking for another suitable volume with sufficient space and creating a folder under $RECYCLE.BIN\Fonts," the researchers said.
The PowerShell script is also designed to create three scheduled tasks on the system to run a malicious DLL every 20 minutes, launch itself by means of a batch script every hour, and execute smartsscreen.exe every 40 minutes.
The core payload of the attack chain is smartsscreen.exe (aka GHOSTENGINE), whose main purpose is to deactivate security processes using the vulnerable Avast driver ("aswArPot.sys"), complete initial infection, and execute the miner.
The security agent binary is then deleted by means of another vulnerable driver from IObit ("iobitunlockers.sys"), following which the XMRig client mining program is downloaded from the C2 server and executed.
The DLL file is used to ensure the persistence of the malware and download updates from the C2 servers by fetching the get.png script and executing it, while the "backup.png" Powershell script functions as a backdoor to enable remote command execution on the system.
In what has been interpreted as a redundancy measure, the PowerShell script "kill.png" has similar capabilities as smartsscreen.exe to delete security agent binaries by injecting and loading an executable file into memory.
The exact scope of the campaign remains unknown and it's currently not clear who is behind it. However, the unusual sophistication behind what appears to be a straightforward illicit cryptocurrency mining attack bears notice.
The development comes as the Uptycs Threat Research Team discovered a large-scale, ongoing operation since January 2024 that exploits known flaws in the Log4j logging utility (e.g., CVE-2021-44228) to deliver an XMRig miner onto the targeted hosts.
"Subsequent to compromising a victim machine, it initiated contact with a URL to fetch a shell script for the deployment of the XMRig miner, or alternatively, in select instances, it disseminated Mirai or Gafgyt malware," security researcher Shilpesh Trivedi said.
A majority of the impacted servers are located in China, followed by Hong Kong, the Netherlands, Japan, the U.S., Germany, South Africa, and Sweden.
BYOVD and Other Methods to Undermine Security Mechanisms
The GHOSTENGINE campaign is emblematic of the growing adoption of BYOVD as an attack technique by both state-sponsored and financially motivated hacking groups, including ransomware gangs, over the past few years.
It is wherein a threat actor brings a known-vulnerable signed driver, loads it into the kernel, and exploits it to perform privileged actions, often with an aim to disarm security processes and allow them to operate stealthily.
"When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so," ESET researcher Peter Kálnai noted back in 2022.
"Drivers run at ring 0, the most privileged level of the operating system," Israeli cybersecurity firm Cymulate notes. "This grants them direct access to critical memory, CPU, I/O operations, and other fundamental resources. In the case of BYOVD, the attack is designed to load a vulnerable driver to further the attack."
Although Microsoft has deployed the Vulnerable Driver Blocklist by default starting in Windows 11 22H2, the list is only updated only once or twice a year, necessitating that users manually update it periodically for optimal protection.
Recent research published by cybersecurity company SafeBreach has demonstrated a creative exploit that taps into the attack technique to get around security protections offered by Palo Alto Networks Cortex XDR and deploy a reverse shell and ransomware, effectively repurposing it into a rogue offensive tool.
At its core, the bypass makes it possible to load a vulnerable driver ("rtcore64.sys") via a BYOVD attack and tamper with the solution to prevent a legitimate administrator from removing the software and ultimately inserting malicious code into one of its processes, granting the threat actor high privileges while remaining undetected and persistent.
"The logic behind the detection processes of a security product should be closely guarded," security researcher Shmuel Cohen said last month. "By giving attackers access to this sensitive detection logic via the solution's content files, they are much more likely to be able to engineer a way around it."
The disclosure also follows the discovery of a novel technique called EDRaser that takes advantage of flaws in Microsoft Defender (CVE-2023-24860 and CVE-2023-36010) to remotely delete access logs, Windows event logs, databases, and other files.
The issue, which also impacts Kaspersky, stems from the fact that both the security programs use byte signatures to detect malware, thus allowing a threat actor to implant malware signatures into legit files and fool the tools into thinking that they are malicious, SafeBreach said.
Another novel method is HookChain, which, as Brazilian security researcher Helvio Carvalho Junior, involves combining IAT hooking, dynamic system service numbers (SSN) resolution, and indirect system calls to escape monitoring and control mechanisms implemented by security software in the user mode, particularly in the NTDLL.dll library.
"HookChain is capable of redirecting the execution flow of all major Windows subsystems, such as kernel32.dll, kernelbase.dll, and user32.dll," Carvalho Junior said in a newly published paper.
"This means that, once deployed, HookChain ensures that all API calls within the context of an application are carried out transparently, completely avoiding detection by [Endpoint detection and response software]."