Recently, an interesting miner implementation appeared on Kaspersky Lab's radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker's profits. Therefore, it's not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware's proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.
PowerGhost is an obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the miner's operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit.
Fragment of the obfuscated script
The add-on modules encoded in base64
The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies. The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the miner's body and immediately launches it without writing it to the hard drive.
What the script does after that can be broken down into several stages:
In one PowerGhost version, we detected a tool for conducting DDoS attacks. The malware writers obviously decided to make some extra money by offering DDoS services.
PowerShell function with the tell-tale name RunDDOS
It's worth pointing out that this is the only one of the miner's functions that copies files to the hard drive. This is quite possibly a test tool that will later be replaced with a fileless implementation. Also supporting the assertion that this function was added to this version as an afterthought is the peculiar way the DDoS module is launched: the script downloads two PE modules, logos.png and cohernece.txt. The former is saved to the hard drive as java-log-9527.log and is an executable file for conducting DDoS attacks. The file cohernece.txt is protected with the software protection tool Themida, complete with a check for execution in a virtual environment. If the check does not detect a sandbox, then cohernece.txt launches the file java-log-9527.log for execution. In this curious way, the ready DDoS module was supplemented with a function to check for execution in a virtual environment.
Fragment of disassembled code of the file cohernece.txt
Corporate users bore the brunt of the attack: it's easier for PowerGhost to spread within a company's local area network.
_Geography of infections by the miner _
PowerGhost is encountered most often in India, Brazil, Columbia and Turkey.
Kaspersky Lab's products detect the miner and/or its components with the following verdicts:
E-wallets at nanopool.org and minexmr.com: