Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

7/31/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

PowerGhost Cryptomining Malware Targets Corporate Networks

Kaspersky Lab researchers said the malware uses fileless techniques to make it harder to detect and the Eternal Blue exploit to spread to systems across the networks.

Cybercriminals using malware to steal the compute power of victims' systems to mine cryptocurrencies are increasingly targeting corporate networks to increase the number of systems they leverage.

The latest example of this is PowerGhost, a cryptomining malware detected by researchers at Kaspersky Lab that not only takes aim at large corporate networks but also uses fileless techniques to make it more difficult to detect. The malware leverages a combination of PowerShell and EternalBlue exploits to spread from a single system on the network to other systems, such as servers and workstations.

The math behind PowerGhost is pretty simple: the longer the malware can stay on the network and the more systems it can infect, the more illicit profits the bad actors can reap. The malware uses the compute power in the infected machines to mine for cryptocurrency, which is transferred to the attackers' wallets.

"The task of crypto-miners' owners is to attract as many computing resources as possible," Anatoly Kazantsev, malware analyst at Kaspersky, told Security Now in an email. "A large number of computing resources can increase the income of cybercriminals. Therefore, for cybercriminals, the infrastructure of corporate networks is a tidbit in terms of number of users. Updates are often installed with delay on corporate networks, allowing cybercriminals to use public hacking tools, saving money on buying [zero]-day exploits."

Kazantsev and Kaspersky analyst Vladav Bulavas in a blog on Kaspersky's SecureList site described PowerGhost as an "obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the miner's operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit."

The code doesn't need to use files and isn't stored directly on the system's hard drive, making it more difficult to antivirus solutions to detect it, according to the researchers. Instead, the victim's machine is infected remotely by using either exploits or remote administration tools like Windows Management Instrumentation. Once that happens, the PowerShell script is run and downloads the miner, while the virus makes a copy of itself and moves on to infect other systems in the network using the EternalBlue exploit, which was leveraged to great success by the WannaCry and NotPetya ransomware attacks last year. (See WannaCry: How the Notorious Worm Changed Ransomware.)

"The choice of fileless techniques by the cybercriminals is not accidental," Kazantsev told Security Now. "With this approach, malware leaves virtually no traces in the system, which increases the chances of a successful launch and allows to stay unnoticed longer in the system. That is why it is so important to choose security solutions that use a comprehensive approach in the fight against malware."

Malware evolution
Another characteristic of PowerGhost is its ability to run other attacks that don't involve cryptomining. According to the researchers, in one version of PowerGhost, they found a tool for running distributed denial-of-service (DDoS) attacks. The DDoS function is the only one in PowerGhost that copies files to the hard drive, making researchers believe that it probably is a test tool that will be replaced by a fileless implementation later.

"In general, the evolution of crypto miners, like with most other malware, is moving towards reducing visibility [fileless technology], long-term gaining in the systems and obtaining additional income," Kazentsev said, noting the "DDoS-module in the sample."

Such evolution in targets and capabilities has been seen other malware.

The Hide 'N Seek (HNS) botnet is an example. The botnet, which was discovered earlier this year, initially targeted Internet of Things (IoT) devices, including home routers and DVRs. Researchers at Qihoo 360's Netlab earlier this month reported that the latest versions of the HNS botnet now are taking aim at other systems, including NoSQL database servers, and include a program for mining cryptocurrencies, though the researchers don't believe the program is functional yet. (See HNS IoT Botnet Evolves, Goes Cross-Platform.)

Kazentsev added that he expects malware to continue to evolve and add more targets, saying that "the infrastructure of corporate networks is an excellent prey for owners of crypto-mining botnets, so it is likely that in the future cybercriminals will develop their own techniques and tools designed for corporate networks."

PowerGhost has a global reach to it, with instances of infection being found in North and South America, Russia and other parts of Asia, Europe and Africa. Users in India, Brazil, Colombia and Turkey, according to Kaspersky analysts.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...