This devious malware can turn off your security protection without you even realizing — and then download a load of cryptominers

this devious malware can turn off your security protection without you even realizing — and then download a load of cryptominers

This devious malware can turn off your security protection without you even realizing — and then download a load of cryptominers

Hackers have found a way to install cryptominers on your devices, even if you have an antivirus program installed.

The campaign was recently discovered by cybersecurity researchers from Elastic Security Labs and Antiy, who named it REF4578, but weren’t able to attribute it to any specific, or known, threat actor.

The campaign is carried out by dropping a vulnerable driver onto the endpoint, through which they are able to disable, and ultimately uninstall, any antivirus programs you might have installed on your device. Once that's done, the malware drops XMRig, one of the most popular cryptocurrency miners out there. Furthermore, the victims don’t seem to be targeted specifically, and it’s difficult to determine exactly how many computers were infected.

Mining cryptos

The researchers aren't sure exactly how the attackers are distributing the malware, but an educated guess would be either via phishing, social media and instant messaging, or through ad poisoning and impersonation.

Whatever the method, the victims will first get dropped an exe file named Tiworker, which masquerades as a legitimate Windows file. This file drops a powerShell script called GhostEngine which, in turn, runs a number of different activities.

Among them is to load two vulnerable kernel drivers: aswArPots.sys (Avast driver), used to terminate Endpoint Detection and Response (EDR) processes, and IObitUnlockers.sys (Iobit driver) which deletes the associated executable.

GhostEngine can also disable Windows Defender, enable remote services, and clear different Windows event logs.

When the process is done, and the coast is clear, GhostEngine will end up deploying XMRig, a known cryptocurrency miner. This tool, popular among cybercriminals, secretly mines the Monero (XMR) cryptocurrency, famous for its privacy and pseudonymity.

To protect the endpoints, the researchers suggest IT teams look out for suspicious PowerShell executions, unusual process activity, and any network traffic pointing to cryptocurrency mining pools.

Via BleepingComputer

More from TechRadar Pro

    OTHER NEWS

    27 minutes ago

    Chris Billam-Smith says experience was the key in avenging Richard Riakporhe loss

    27 minutes ago

    Baby-wearing dads celebrate Fathers’ Day with record-breaking walk in S’pore

    27 minutes ago

    ‘In South Africa, you hear of disappearance all the time’: one photographer’s search for his sister’s missing years

    27 minutes ago

    HMRC has failed to fine a single ‘enabler’ of offshore tax fraud in five years

    27 minutes ago

    Cameron Smith's shirt at the 2024 U.S. Open is a periodic table of alcohol — and you can own it, too

    27 minutes ago

    From Oregon Trail to Wurdweb, five fun games to play on Apple Arcade this summer

    27 minutes ago

    2 dead, 6 injured in shooting at Texas Juneteenth celebration: officials

    30 minutes ago

    Inmates take staff hostage at a detention center in southern Russia

    34 minutes ago

    Seibold lauds gutsy Manly after 30-14 win over Dragons

    34 minutes ago

    Saudi FM: Ukraine peace process will need Russia’s participation

    34 minutes ago

    How to pick a watermelon: Sweet and ripe every time

    34 minutes ago

    Ratcliffe must axe Man Utd ace who earns 4x more than Branthwaite

    34 minutes ago

    Rachel Stevens admits she was left in 'turmoil' after falling for Dancing on Ice partner Brendyn Hatfield ahead of 'messy and scary' split from husband Alex Bourne

    34 minutes ago

    Brave Kate is a beacon of light in new behind-the-scenes Trooping the Colour video - as Waleses reveal they are 'in awe' at 'incredible' ceremony that included Princess' Buckingham Palace balcony appearance

    40 minutes ago

    The Rev James Lawson, Martin Luther King’s right-hand man in the Civil Rights struggle – obituary

    40 minutes ago

    Here’s how I’d target £1,580 in passive income next year using a £20k Stocks and Shares ISA

    40 minutes ago

    Artem Dovbyk’s path from Ukraine’s third tier to La Liga’s finest finisher

    40 minutes ago

    Christian Eriksen to complete football's greatest comeback - "I'd died for five minutes"

    40 minutes ago

    Slovenia vs Denmark: Euro 2024 prediction, kick-off time, TV, live stream, team news, h2h, odds today

    40 minutes ago

    Poland vs Netherlands: Euro 2024 prediction, kick-off time, TV, live stream, team news, h2h, odds today

    40 minutes ago

    Larsson: Barca need signings to win trophies next season

    40 minutes ago

    I have a terminal brain tumour and doctors have given me a year to live - I want this Father's Day to be the best ever in case it's my last one

    40 minutes ago

    Israel announces daily 'tactical pause' in fighting in southern Gaza to let humanitarian aid flow into the war-torn region

    40 minutes ago

    Tom Parker widow Kelsey says their young children, Aurelia, 4, and Bodhi, 3, still make Father's Day cards for the singer two years on from his death

    40 minutes ago

    We're parenting experts and here are 9 tips to help you survive Father's Day as a single mother

    40 minutes ago

    Inside King Charles's changing relationship with Prince William and Prince Harry amid family turmoil in recent years - as he celebrates Father's Day without his youngest son

    42 minutes ago

    Jayden Daniels has signed his rookie contract with the Washington Commanders

    44 minutes ago

    Taylor Swift Chokes Up On Stage During Final Liverpool Concert In Eras Tour

    46 minutes ago

    Michael Clarke appears to confirm romance with new real estate guru Arabella Sherborne as they enjoy romantic holiday on the Gold Coast

    46 minutes ago

    Driver shares frustration with photo of 'gas guzzler' parked in electric charging spot: 'Why is it that pickup truck drivers have such hate for EVs?'

    46 minutes ago

    The Wanted singer Tom Parker's kids make him Father's Day cards two years after death

    46 minutes ago

    New tool for tactical votes in Tory-held seats aims to change voting system

    46 minutes ago

    Whatever way you look at it, the Dublin Mayo rivalry covered up for years of poor football

    48 minutes ago

    Billy Crystal poked fun at Robert De Niro’s acting on set of ‘Analyze This’

    48 minutes ago

    Céline Dion believes late husband’s spirit is still in her life

    48 minutes ago

    Keith Richards got so wasted on Rolling Stones tour he was flown to another country while still in bed

    49 minutes ago

    Clive Myrie reveals shocking extent of racial abuse faced as BBC newsreader

    49 minutes ago

    France seek fast start to help end 24 years of waiting for European Championship glory

    50 minutes ago

    Richards Bay have Premiership fate in own hands with AmaTuks draw

    50 minutes ago

    In Sudan, Russia's Africa strategy advances another step