The PowerGhost miner targets large corporate networks, infecting both workstations and servers, it employing multiple fileless techniques to evade detection.
“The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.” reads the analysis published by Kaspersky.
“This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation.”
The PowerGhost leverages the NSA-linked EternalBlue exploit to spread, it is obfuscated PowerShell script containing malware’s core code, along with many other add-on modules such as the miner, miner libraries, the Mimikatz post-exploitation too, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.
The victim system is infected remotely using exploits or remote administration tools (Windows Management Instrumentation), experts discovered that during the infection phase a one-line PowerShell script is executed to drop the core of the miner component and execute it, the entire process in the memory of the system.
The first thing that the malware does it to check the command and control (C&C) server and, if a new version is available, it downloads and executes it.
Then the malware uses the Mimikatz tool to get the user account credentials from the machine and use it to attempt lateral movements inside the target network.
“Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.” continues the analysis.
“PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (CVE-2017-0144).”
Once infected a machine, the PowerGhost attempts to escalate privileges by using various exploits such as the one for CVE-2018-8120.
In order to establish a foothold in the infected system, the PowerGhost saves all the modules as properties of a WMI class, while miner main body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes.
The script executes the miner by loading a PE file via reflective PE injection.
Most of the PowerGhost infections were observed in India, Brazil, Columbia, and Turkey.
Experts discovered also a PowerGhost version that implements DDoS capability, a circumstance that leads Kaspersky into believing that authors attempted to create a DDoS-for-hire service.
Further details, including Indicators of Compromise (IoCs) are reported in the analysis published by Kaspersky.