MDR
May 27
MDR
Unveiling GHOSTENGINE: A New Threat on the Crypto Mining Landscape
Unveiling GHOSTENGINE: A New Threat on the Crypto Mining Landscape
In an ever-evolving cybersecurity landscape, GHOSTENGINE emerges as a new player, employing both cunning and aggressive methods. This intrusion set utilizes multiple malicious modules and exploits vulnerable drivers to disable known security solutions, like Endpoint Detection and Response (EDR) tools, thereby facilitating its crypto mining operations.
GHOSTENGINE's sophisticated operation begins with an innocuous PowerShell script. It proceeds to elevate its privileges, thereby gaining unrestricted access to the system. Upon gaining control, it deploys known vulnerable drivers to disable installed EDR solutions, making it harder for security teams to detect its presence.
The Elastic Security Labs team has meticulously dissected GHOSTENGINE’s operations, from its initial infection, establishment of persistence, installation of a previously undocumented backdoor, to the execution of a crypto-miner. However, the fight against such sophisticated cyber threats is not a solitary task. This is why Elastic Security Labs’ expertise is crucial. The combined expertise of Elastic Security Labs and Sofecta Labs' MDR Team equips our customers with the necessary technology and know-how to guard against threats in today's digital landscape.
How Sofecta Labs MDR Can Help
At Sofecta Labs, our Managed Detection and Response (MDR) services are designed to detect, block and respond to threats like GHOSTENGINE. Our team of cybersecurity experts leverage advanced security analytics and threat intelligence to swiftly identify and mitigate threats.
Our MDR service provides a cost effective solution against cyber threats. We conduct 24/7 monitoring of your networks and systems, enabling us to detect any suspicious activities promptly. This includes tracking unusual PowerShell executions, identifying file executions from unusual directories, and detecting the deployment of known vulnerable drivers.
With our MDR service, we can pinpoint unusual activities such as the execution of a PE file (like the Tiworker.exe used by GHOSTENGINE), or the deployment of a known vulnerable driver. By continuously monitoring your systems and networks, we ensure that threats are detected promptly, reducing the window of opportunity for the attacker.
Elastic Endpoints: Tamper-Proof Protection
In addition to our MDR service expert knowledge, our Elastic XDR solution provides features such as a "agent tamper protection" mechanism. This mechanism ensures that your EDR solutions are not tampered with, disabled, or uninstalled without being noticed by our SOC MDR team.
GHOSTENGINE, like many other threats, attempts to disable security solutions to carry out its operations undetected. Elastic XDR Endpoints is designed to prevent this from happening, ensuring that your EDR tools remain intact and operational. This way, even if an attacker manages to infiltrate your network, their activities will not go unnoticed, and our team can respond promptly to mitigate the threat.
Elastic Endpoints is particularly effective against threats like GHOSTENGINE, which attempts to disable security solutions. By ensuring that your EDR tools remain intact and operational, we reduce the risk of successful attacks and ensure that you stay one step ahead of the attackers.
Observables
All IOC observables are also available for download in both ECS and STIX format from Elastic Security Labs blog.
The following observables were used in this blog and Elastic Security Labs blogpost research:
By using the observables from the Elastic Security Labs blogpost, our MDR Team was able to quickly create search queries to search for these IOCs in our Customers environments and detect and respond to any potentially malicious activities.
Hunting for GHOSTENGINE
Using Elasticsearch advanced query languagues and hunting capabilities, our MDR team can effectively hunt, or search for, potential bad indicators from our customer environments. By running queries using the observables above, our team can hunt, detect and remediate GHOSTENGINE from our customer networks in minutes.
ESQL query:
FROM *:logs-* |
WHERE process.hash.sha256 IN ( "2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753",
"4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1",
"2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae",
"3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150",
"3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab",
"35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f",
"786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca",
"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5",
"aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b",
"6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e",
"7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1",
"cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104",
"d59763c132e8e10bfec84eae8f2b6e383ded95f891dffdbf1ed1ee6561ce989b" )
OR file.hash.sha256 IN ("2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753",
"4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1",
"2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae",
"3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150",
"3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab",
"35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f",
"786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca",
"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5",
"aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b",
"6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e",
"7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1",
"cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104",
"d59763c132e8e10bfec84eae8f2b6e383ded95f891dffdbf1ed1ee6561ce989b" )
OR dns.question.name IN ("download.yrnvtklot.com", "ftp.yrnvtklot.com", "online.yrnvtklot.com") OR
(CIDR_MATCH(source.ip, "111.90.158.40") OR CIDR_MATCH(source.ip, "93.95.225.137") OR
CIDR_MATCH(destination.ip, "111.90.158.40") OR CIDR_MATCH(destination.ip, "93.95.225.137"))
KQL query:
(process.hash.sha256 : "2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753" OR
process.hash.sha256 :"4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" OR
process.hash.sha256 :"2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" OR
process.hash.sha256 :"3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150" OR
process.hash.sha256 :"3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab" OR
process.hash.sha256 :"35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f" OR
process.hash.sha256 :"786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca" OR
process.hash.sha256 :"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" OR
process.hash.sha256 :"aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b" OR
process.hash.sha256 :"6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e" OR
process.hash.sha256 :"7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1" OR
process.hash.sha256 :"cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104" OR
process.hash.sha256 :"d59763c132e8e10bfec84eae8f2b6e383ded95f891dffdbf1ed1ee6561ce989b") OR
(file.hash.sha256 : "2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753" OR
file.hash.sha256 :"4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" OR
file.hash.sha256 :"2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" OR
file.hash.sha256 :"3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150" OR
file.hash.sha256 :"3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab" OR
file.hash.sha256 :"35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f" OR
file.hash.sha256 :"786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca" OR
file.hash.sha256 :"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" OR
file.hash.sha256 :"aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b" OR
file.hash.sha256 :"6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e" OR
file.hash.sha256 :"7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1" OR
file.hash.sha256 :"cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104" OR
file.hash.sha256 :"d59763c132e8e10bfec84eae8f2b6e383ded95f891dffdbf1ed1ee6561ce989b") OR
(dns.question.name : "download.yrnvtklot.com" OR
dns.question.name : "ftp.yrnvtklot.com" OR
dns.question.name : "online.yrnvtklot.com") OR
(source.ip : "111.90.158.40" OR destination.ip : "111.90.158.40" OR
source.ip : "93.95.225.137" OR destination.ip : "93.95.225.137")
These existing Elastic Endpoint detection rules already detect the different steps in the GHOSTENGINE execution using the following detection rules and behaviour prevention rules:
- Suspicious PowerShell Downloads
- Service Control Spawned via Script Interpreter
- Local Scheduled Task Creation
- Process Execution from an Unusual Directory
- Svchost spawning Cmd
- Unusual Parent-Child Relationship
- Clearing Windows Event Logs
- Microsoft Windows Defender Tampering
- Potential Privilege Escalation via Missing DLL
- Binary Masquerading via Untrusted Path
Sofecta Labs' Managed Detection and Response (MDR) services are designed to detect, block and respond to threats like GHOSTENGINE. The MDR service involves 24/7 monitoring of client networks and systems, detecting unusual activities, and identifying file executions from suspicious directories. Their team of cybersecurity experts uses advanced security analytics and threat intelligence to identify and mitigate threats quickly.
Moreover, their Elastic XDR solution provides features such as an "agent tamper protection" mechanism, which ensures that the client's EDR solutions are not tampered with, disabled, or uninstalled without the knowledge of the Sofecta Labs' MDR team. This way, if an attacker infiltrates the client's network, their activities will not go unnoticed, and the Sofecta Labs team can respond promptly to mitigate the threat.
Additionally, by using the observables from external resources, like the Elastic Security Labs blogpost, the MDR Team can create search queries to search for these Indicators of Compromise (IOCs) in the client's environments and swiftly hunt for and detect and respond to any potentially malicious activities.
Conclusion
While GHOSTENGINE’s operations may seem daunting, remember that you're not alone in this fight against cyber threats. With Sofecta Labs’ MDR services and Elastic Endpoints’ tamper-proof protection mechanism, you can fortify your defenses, ensuring your digital assets remain secure and your operations uninterrupted.
Cybersecurity is an ongoing battle that requires continuous vigilance to stay ahead. At Sofecta Labs, we're committed to providing you with the best tools and support to protect your systems and data against threats like GHOSTENGINE. As threat actors continue to evolve, so do we. With our expertise and state-of-the-art solutions, you can rest assured that your cybersecurity is in capable hands.
References
- https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine
- https://www.antiy.com/response/HideShoveling.html
- https://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth
- https://thehackernews.com/2024/05/ghostengine-exploits-vulnerable-drivers.html
- https://www.bleepingcomputer.com/news/security/ghostengine-mining-attacks-kill-edr-security-using-vulnerable-drivers
