GhostEngine: How Hackers Mine Cryptocurrency Using Avast Drivers
Researchers from Elastic Security Labs and Antiy have identified a new cryptocurrency mining campaign, codenamed REF4578, in which the malicious software GhostEngine exploits vulnerable drivers to disable antivirus programs and launch the XMRig miner.
Both Elastic Security Labs and Antiy noted the high level of sophistication in this attack. In their reports, the companies shared detection rules to help defenders identify and stop such threats. However, neither report links the activity to any known hacker groups or provides details about the victims, so the origin and scale of the campaign remain unknown.
How GhostEngine Works
It is still unclear how attackers initially compromise servers, but the attack begins with the execution of a file named Tiworker.exe, which masquerades as a legitimate Windows file. This executable is the first stage of launching GhostEngine, which is a PowerShell script designed to download various modules onto the infected device.
After launch, Tiworker.exe downloads a script called get.png from a C2 server, which acts as the main loader for GhostEngine. The PowerShell script then downloads additional modules and their configurations, disables Windows Defender, enables remote services, and clears various Windows event logs.
The script checks for at least 10 MB of free disk space before proceeding with the infection and creates scheduled tasks to ensure persistence. Next, it downloads and runs an executable named smartsscreen.exeβthe main GhostEngine malware. This program disables and removes EDR (Endpoint Detection and Response) solutions and also downloads and launches XMRig for cryptocurrency mining.
To disable security software, GhostEngine downloads two vulnerable drivers: aswArPots.sys (an Avast driver) to terminate EDR processes, and IObitUnlockers.sys (an Iobit driver) to delete related executable files.
GhostEngine Infection Chain
- Initial execution of Tiworker.exe (masquerading as a Windows file)
- Download of get.png PowerShell script from C2 server
- Disabling of Windows Defender and clearing of event logs
- Creation of scheduled tasks for persistence
- Download and execution of smartsscreen.exe (main malware)
- Disabling and removal of EDR solutions
- Download and launch of XMRig miner
- Use of vulnerable drivers to disable security software
How to Protect Against GhostEngine
Elastic experts recommend that defenders pay attention to suspicious PowerShell executions, unusual process activity, and network traffic pointing to cryptocurrency mining pools. The use of vulnerable drivers and the creation of related kernel services should also raise red flags.
A preventive measure is to block the creation of files by vulnerable drivers such as aswArPots.sys and IObitUnlockers.sys. Elastic Security has also provided YARA rules in their report to help defenders detect GhostEngine infections.
Although researchers did not find significant amounts in the single payment ID they studied, it is possible that each affected user has a unique wallet, and the total financial damage could be substantial.