{ "name": "Unveiling a Crypto Mining Operation", "slug": "unveiling-a-crypto-mining-operation", "description": "This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and response (EDR) agents, enabling the successful deployment of the well-known XMRig miner. The operation incorporates numerous contingency mechanisms and redundancies to ensure the installation and persistence of the mining activity.", "published": "2024-05-22T05:38:48+00:00", "created_at": "2024-05-22T05:38:48+00:00", "modified_at": "2024-05-22T05:53:52+00:00", "created_at_opencti": "2024-05-22T05:38:48+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-05-22", "cryptomining", "ghostengine", "xmrig" ], "related_entities": { "observables": [ { "id": "", "name": "93.95.225.137" }, { "id": "", "name": "111.90.158.40" }, { "id": "", "name": "ftp.yrnvtklot.com" }, { "id": "", "name": "online.yrnvtklot.com" }, { "id": "", "name": "download.yrnvtklot.com" }, { "id": "", "name": "cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104" }, { "id": "", "name": "aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b" }, { "id": "", "name": "7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1" }, { "id": "", "name": "786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca" }, { "id": "", "name": "6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e" }, { "id": "", "name": "3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150" }, { "id": "", "name": "3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab" }, { "id": "", "name": "35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f" }, { "id": "", "name": "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" }, { "id": "", "name": "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" }, { "id": "", "name": "2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753" }, { "id": "", "name": "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" } ], "malware": [ { "id": "legacy:malware:2a09f654851f4b70", "name": "Ghostengine", "slug": "ghostengine" }, { "id": "legacy:malware:1997d740a167fe40", "name": "ALF:HeraklezEval:Trojan:Win64/XMRigMiner", "slug": "alfheraklezevaltrojanwin64xmrigminer" } ], "attack_patterns": [ { "id": "da44e22e-1925-42e4-b30d-ac38860d39bb", "name": "T1070.001" }, { "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9", "name": "T1132.001" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "6c54bb5e-b90c-478e-b1fb-705daf1869b3", "name": "T1197" }, { "id": "0192fd78-09e3-4fe4-a9d3-38a7137e15fa", "name": "T1055.002" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd", "name": "T1036.005" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" } ] }, "external_refs": [ "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", "https://otx.alienvault.com/pulse/664da1082276eb73877c725b" ] }