GhostMiner’s new variant kills other crypto-mining payloads

• The new variant modifies infected host files heavily used by Mykings, PowerGhost, PCASTLE and BULEHERO, among others.
• GhostMiner's fileless attack technique gives more power to cybercriminals by making their detection and monitoring difficult.

An overview: A team of TrendMicro observed fileless cryptocurrency-mining malware, GhostMiner on Aug 2. They found that the Ghostminer’s variant could modify infected host files that are heavily used by Mykings, PowerGhost, PCASTLE and BULEHERO, among others.

Earlier this year, Ghostminer came in limelight for weaponizing Windows Management Instrumentation (WMI) objects for its fileless persistence, payload mechanisms, and AV-evasion capabilities.

How it works: The team stumbled upon the malware when it was mining Monero cryptocurrency. Not much details (in writing) are out yet though.

• GhostMiner uses WMI Event Subscriptions to install persistence and execute arbitrary code
• It will also install a WMI class named “PowerShell_Command” at the root\Default namespace
• This WMI class contains the entries Command and CCBot that contains base-64 encoded functions
• When the EventConsumer is triggered, it will read entries from Command and CCBot from the installed WMI “PowerShell_Command” object

Functions & Tasks (when the above command script is executed)

WMI_KillFake - Terminates processes and deletes corresponding files based on a list of conditions
WMI_KillService - Terminates services based on a set of conditions
WMI_Scanner - Terminates processes of known cryptominers in the process memory
WMI_CheckFile - Verifies the integrity of the file it drops

Additionally, the Command script also has WMI_Killer function, which terminates running processes, and deletes scheduled tasks and services that are associated with cryptocurrency-mining malware families such as Mykings, PowerGhost, PCASTLE, BULEHERO and other generic MALXMR variants used by several malware families, including BlackSquid.