A massive cryptocurrency mining campaign has been uncovered by security researchers at Kaspersky Lab – A campaign that has resulted in the creation of a vast network of devices infected with PowerGhost malware.
PowerGhost malware is being installed on all manner of devices including servers, endpoints, and POS devices. Once infected, each device generates a small amount of a cryptocurrency each day by using the device’s processing power to solve complex computational problems.
While a single device can be used to mine a few dollars of cryptocurrency each day, the returns are significant when the attackers are able to infect server farms and add hundreds of thousands of endpoints to their army of cryptocurrency mining slaves.
Once a device is infected, the cryptocurrency mining tool is downloaded and gets to work. A portion of an infected device’s processing power is then dedicated to mining cryptocurrency until the infection is identified and the malware is removed. PowerGhost malware also spreads laterally to all other vulnerable networked devices.
What makes PowerGhost such a difficult threat to detect is the fact that it doesn’t use any files, instead it is capable of mining cryptocurrency from the memory. PowerGhost is an obfuscated PowerShell script that includes various add-on modules, including the cryptocurrency mining component, mimikatz, and the DLLs required for the operation of the miner. Various fileless techniques are used to infect devices, ensure persistence, and avoid detection by anti-virus solutions. The malware also includes shellcode for the EternalBlue exploit to allow it to spread across a network to other vulnerable devices. Attacks are occurring through the exploitation of unpatched vulnerabilities and through remote administration tools.
PowerGhost malware is primarily being used in attacks on companies in Latin America, although it is far from confined to this geographical region with India and Turkey also heavily targeted and infections detected in Europe and North America.
Companies are being targeted. If a foothold can be gained in a corporate network, hundreds, thousands or tens of thousands of devices can be infected and used for cryptocurrency mining. The potential rewards for a successful attack on a medium to large enterprise is substantial.
In addition to cryptocurrency mining, Kaspersky Lab researchers note that one version of the PowerGhost malware is capable of being used for DDoS attacks, offering another income stream for the cybercriminal gang behind the campaign.
Prompt patching, disabling of remote desktop protocol, and the setting of strong complex passwords can help to protect against this PowerGhost malware campaign.