A huge cryptocurrency mining campaign has been discovered by security experts at Kaspersky Lab – a campaign that has lead to the creation of a vast network of devices infected with PowerGhost malware.
PowerGhost malware is being downloaded to all manner of devices including servers, endpoints, and POS devices. Once infected, each device generates a tiny amount of a cryptocurrency each day by using the device’s processing power to solve complex computational equations.
While just one device can be used to mine a few dollars of cryptocurrency every day, the returns are major when the hackers are able to infect server farms and add hundreds of thousands of endpoints to their army of cryptocurrency mining workers.
Once a device is infiltrated, the cryptocurrency mining tool is installed and gets to work. A percentage of an infected device’s processing power is then focused on mining cryptocurrency until the infection is identified and the malware is deleted. PowerGhost malware also spreads laterally to all other susceptible networked devices.
What makes PowerGhost such a difficult threat to spot is the fact that it does not use any files, instead it is capable of mining cryptocurrency from the memory. PowerGhost is an obfuscated PowerShell script that includes various add-on modules, including the cryptocurrency mining component, mimikatz, and the DLLs necessary for the operation of the miner. Various fileless methods are used to infect devices, ensure persistence, and avoid detection by anti-virus solutions. The malware also includes shellcode for the EternalBlue exploit to permit it to spread across a network to other vulnerable devices. Attacks are happening via the exploitation of unpatched vulnerabilities and through remote administration tools.
PowerGhost malware is mainly being implemented in attacks on companies in Latin America, although it is far from restricted to this geographical region with India and Turkey also heavily targeted and infections discovered in Europe and North America.
Companies are being focused on. If a foothold can be obtained in a corporate network, hundreds, thousands or tens of thousands of devices can be infected and used for cryptocurrency mining. The possible rewards for a successful attack on a medium to large enterprise is huge.
Along with cryptocurrency mining, Kaspersky Lab experts note that one version of the PowerGhost malware can be used for DDoS attacks, offering another income stream for the hacking responsible for the campaign.
Swift patching, turning off remote desktop protocol and establishing strong complex passwords can help to protect against this PowerGhost malware campaign.
