Unveiling a Crypto Mining Operation

216.73.217.22

Unveiling a Crypto Mining Operation

· Published 22/05/2024 07:38 · Modified 22/05/2024 07:53

Essential information

Published: 22/05/2024 07:38
Modified: 22/05/2024 07:53
Tags: 2024-05-22 cryptomining ghostengine xmrig
Related entities: 17 observables, 11 techniques (mitre), 2 malware

Description

This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and response (EDR) agents, enabling the successful deployment of the well-known XMRig miner. The operation incorporates numerous contingency mechanisms and redundancies to ensure the installation and persistence of the mining activity.

External references

https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine
https://otx.alienvault.com/pulse/664da1082276eb73877c725b