Recently, an interesting miner implementation appeared on Kaspersky Labβs radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attackerβs profits. Therefore, itβs not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malwareβs proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques β as our data demonstrates, miners are gradually replacing ransomware Trojans.
PowerGhost is an obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the minerβs operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit.
Fragment of the obfuscated script
The add-on modules encoded in base64
The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies. The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the minerβs body and immediately launches it without writing it to the hard drive.
What the script does after that can be broken down into several stages:
In one PowerGhost version, we detected a tool for conducting DDoS attacks. The malware writers obviously decided to make some extra money by offering DDoS services.
PowerShell function with the tell-tale name RunDDOS
Itβs worth pointing out that this is the only one of the minerβs functions that copies files to the hard drive. This is quite possibly a test tool that will later be replaced with a fileless implementation. Also supporting the assertion that this function was added to this version as an afterthought is the peculiar way the DDoS module is launched: the script downloads two PE modules, logos.png and cohernece.txt. The former is saved to the hard drive as java-log-9527.log and is an executable file for conducting DDoS attacks. The file cohernece.txt is protected with the software protection tool Themida, complete with a check for execution in a virtual environment. If the check does not detect a sandbox, then cohernece.txt launches the file java-log-9527.log for execution. In this curious way, the ready DDoS module was supplemented with a function to check for execution in a virtual environment.
Fragment of disassembled code of the file cohernece.txt
Corporate users bore the brunt of the attack: itβs easier for PowerGhost to spread within a companyβs local area network.
_Geography of infections by the miner _
PowerGhost is encountered most often in India, Brazil, Columbia and Turkey.
Kaspersky Labβs products detect the miner and/or its components with the following verdicts:
E-wallets at nanopool.org and minexmr.com:
43QbHsAj4kHY5WdWr75qxXHarxTNQDk2ABoiXM6yFaVPW6TyUJehRoBVUfEhKPNP4n3JFu2H3PNU2Sg3ZMK85tPXMzTbHkb
49kWWHdZd5NFHXveGPPAnX8irX7grcNLHN2anNKhBAinVFLd26n8gX2EisdakRV6h1HkXaa1YJ7iz3AHtJNK5MD93z6tV9H
AEEB46A88C9A37FA54CA2B64AE17F248
4FE2DE6FBB278E56C23E90432F21F6C8
71404815F6A0171A29DE46846E78A079
81E214A4120A4017809F5E7713B7EAC8