This devious malware can turn off your security protection without you even realizing — and then download a load of cryptominers

this devious malware can turn off your security protection without you even realizing — and then download a load of cryptominers

This devious malware can turn off your security protection without you even realizing — and then download a load of cryptominers

Hackers have found a way to install cryptominers on your devices, even if you have an antivirus program installed.

The campaign was recently discovered by cybersecurity researchers from Elastic Security Labs and Antiy, who named it REF4578, but weren’t able to attribute it to any specific, or known, threat actor.

The campaign is carried out by dropping a vulnerable driver onto the endpoint, through which they are able to disable, and ultimately uninstall, any antivirus programs you might have installed on your device. Once that's done, the malware drops XMRig, one of the most popular cryptocurrency miners out there. Furthermore, the victims don’t seem to be targeted specifically, and it’s difficult to determine exactly how many computers were infected.

Mining cryptos

The researchers aren't sure exactly how the attackers are distributing the malware, but an educated guess would be either via phishing, social media and instant messaging, or through ad poisoning and impersonation.

Whatever the method, the victims will first get dropped an exe file named Tiworker, which masquerades as a legitimate Windows file. This file drops a powerShell script called GhostEngine which, in turn, runs a number of different activities.

Among them is to load two vulnerable kernel drivers: aswArPots.sys (Avast driver), used to terminate Endpoint Detection and Response (EDR) processes, and IObitUnlockers.sys (Iobit driver) which deletes the associated executable.

GhostEngine can also disable Windows Defender, enable remote services, and clear different Windows event logs.

When the process is done, and the coast is clear, GhostEngine will end up deploying XMRig, a known cryptocurrency miner. This tool, popular among cybercriminals, secretly mines the Monero (XMR) cryptocurrency, famous for its privacy and pseudonymity.

To protect the endpoints, the researchers suggest IT teams look out for suspicious PowerShell executions, unusual process activity, and any network traffic pointing to cryptocurrency mining pools.

Via BleepingComputer

More from TechRadar Pro

    OTHER NEWS

    4 hrs ago

    Cowboys head coach Mike McCarthy 'getting fed up' with owner Jerry Jones: report

    4 hrs ago

    Who Should Steelers Hope Wins Training Camp QB Battle?

    4 hrs ago

    Goaltender's dad talks up the Oilers' chances of lifting the Stanley Cup

    4 hrs ago

    Phillies turn rare 1-3-5 triple play against Tigers, 1st since 1929

    4 hrs ago

    Discount Burger Check? Chiefs' Reid Shares Hilarious Commercial Story

    4 hrs ago

    'Devastating loss': Digital lending library, Internet Archive, removes 500,000 books after being sued by publishers

    4 hrs ago

    Iga Swiatek vs Coco Gauff vs Aryna Sabalenka vs Elena Rybakina: WTA ‘Big 4’ state of play ahead of Wimbledon

    4 hrs ago

    Would a Toronto byelection loss spell doom for Trudeau?

    4 hrs ago

    BlackSuit ransomware gang blamed for ongoing car dealership outages

    4 hrs ago

    'Unreal' injury-time equaliser saves football powerhouse

    4 hrs ago

    Nigel Farage accused of cosying up to the Kremlin by former NATO boss

    4 hrs ago

    Dagestan, in southern Russia, has a history of violence. Why does it keeps happening?

    4 hrs ago

    Marines revive a World War II airfield on Peleliu in Pacific pivot

    4 hrs ago

    Fortnite Brings Tilted Towers and Other Fan Favorite Locations, But With a Twist

    4 hrs ago

    Shadow of the Erdtree Puts the Cherry on Top of Elden Rings Main Strength

    4 hrs ago

    Anger erupts as Albo's governor-general is awarded payrise

    4 hrs ago

    Charo Makes Rare Public Appearance at Project Angel Food Event: 'Life Is Beautiful' (Exclusive)

    4 hrs ago

    Boozed-up England fans sing '10 German bombers' chant in Cologne

    4 hrs ago

    Show Respect: ‘Boys are surprised we talk about this, it’s become normalised’

    4 hrs ago

    After clash with prosecutor, judge reserves ruling on restricting Trump’s rhetoric about agents’ classified documents search

    4 hrs ago

    Peter Dutton’s nuclear plan ‘doesn’t deliver’ any ‘energy price decrease’ until 2040

    4 hrs ago

    Where to watch Netherlands vs. Austria live stream, TV channel, lineups, prediction for Euro 2024 match

    4 hrs ago

    China lunar probe to return to Earth with samples

    4 hrs ago

    Report: Knicks’ OG Anunoby declines player option, enters unrestricted free agency

    4 hrs ago

    Saints offensive line ranked 19th in the NFL

    4 hrs ago

    Senators acquire goaltender Linus Ullmark from Bruins

    4 hrs ago

    Why Qld feels like home for the Blues

    4 hrs ago

    Seahawks waive 3 undrafted free agents, make UFL champ signing official

    4 hrs ago

    Andrew Scott Frantically Runs to Hear Taylor Swift's ‘Style' at 'Eras Tour'

    4 hrs ago

    England’s Test series v New Zealand: Date, kick-off time and TV channel

    4 hrs ago

    Bills' McDermott Says Von Miller Has ‘Something to Prove’

    4 hrs ago

    US prosecutors want Boeing to face criminal charges

    4 hrs ago

    Finance Minister Michael McGrath set to become Ireland's new EU Commissioner

    4 hrs ago

    Red-hot Cardinals get huge boost in return of star catcher

    4 hrs ago

    How police use the mail to spy on you: 60,000 cases in last decade with little pushback

    4 hrs ago

    These 3 Republicans are Trump’s most likely VP picks

    4 hrs ago

    Roy Jones Jr. announces his son, DeAndre, died by suicide

    4 hrs ago

    Luxury Gyms, Like Equinox and Life Time, Are Taking Over Big Retail Spaces

    4 hrs ago

    Automobili Pininfarina PURA Vision wins prestigious Red Dot Award: Design Concept 2024

    4 hrs ago

    Pop legend Robbie Williams wears his AFL jersey to see if he still gets recognised in London - with some very surprising results