Shulou(Shulou.com)05/31 Report--

Editor to share with you what kind of software PowerGhost is, I hope you will gain something after reading this article, let's discuss it together!

Recently, Kaspersky Lab's detection radar found a very interesting malicious mining software called PowerGhost, which can not only quietly dig mines in the background after infecting the target host, but also infect other hosts in the enterprise's large network, including workstations and servers.

There is no doubt that for attackers, the greater the number of infected devices and the longer they stay, the more profitable they will be. Therefore, we often see a lot of legitimate software infected by mining software, because attackers can use legitimate software to spread their own malware. It is important to note, however, that the developers of PowerGhost are more innovative because they have begun to use fileless technology to achieve malicious mining software infection in the target system. In view of this, the popularity of cryptocurrency and rising prices have begun to make many cyber criminals devote themselves to malicious mining technology. Like the survey data from Kaspersky Lab, malicious mining software is gradually replacing extortion software.

Technical analysis and ways of transmission

PowerGhost is actually an obfuscated PowerShell script that contains the core components of the mining master program, mimikatz, a module for implementing reflection PE injection, ShellCode for exploiting EternalBlue vulnerabilities, and related dependent libraries (msvcp120.dll and msvcr120.dll). Here are some of the code snippets:

Plug-in module code encoded by Base64:

This malware uses a variety of fileless techniques to hide traces of its activity and uses vulnerabilities and remote management tools (Windows management tools) to remotely infect target devices. In the process of implementing the infection, the malware runs a PowerShell script that starts the malware immediately after downloading the mining master program, rather than saving it directly to the host's hard drive.

The operation of malicious scripts is divided into the following stages:

Automatic updates: PowerGhost will periodically check if there is a new version of the ClearC server, and if so, automatically download and implement the update without starting the previous version.

Propagation: with the help of mimikatz, the malware collects the user credentials of the infected system, then completes the login and propagates a copy of the malware on the local network through WMI. In addition, PowerGhost exploits the notorious EternalBlue vulnerabilities (MS17-010, CVE-2017-0144) to spread malware on the local network.

Entitlement: after infecting the device, PowerGhost exploits vulnerabilities MS16-032, MS15-051, and CVE-2018-8120 to grant rights on the target device.

Persistent infection: PowerGhost stores all modules as WMI, and the miner stores them as PowerShell scripts, which are activated every 90 minutes.

Payload: finally, the script loads the PE file and starts the mining program through reflective PE injection.

In one of the PowerGhost samples, the researchers also found code to perform DDoS attacks, and it is clear that the authors of PowerGhost also want to earn extra money by providing additional DDoS attack services.

Statistics and geographical distribution

The main target of PowerGhost is enterprise users, because according to its characteristics, the company's local area network is more suitable for transmission.

At present, PowerGhost-infected users are mainly distributed in countries such as India, Brazil, Colombia and Turkey.

The test marks of Kaspersky Labs products are as follows:

DM:Trojan.Win32.GenericPDM:Exploit.Win32.GenericHEUR:Trojan.Win32.Genericnot-a-virus:HEUR:RiskTool.Win32.BitMiner.gen

E-wallet addresses of nanopool.org and minexmr.com:

43QbHsAj4kHY5WdWr75qxXHarxTNQDk2ABoiXM6yFaVPW6TyUJehRoBVUfEhKPNP4n3JFu2H3PNU2Sg3ZMK85tPXMzTbHkb49kWWHdZd5NFHXveGPPAnX8irX7grcNLHN2anNKhBAinVFLd26n8gX2EisdakRV6h2HkXaa1YJ7iz3AHtJNK5MD93z6tV9H intrusion threat indicator

CumberC hostname:

Update.7h5uk [.] com185.128.43.62info.7h5uk [.] com

MD5:

AEEB46A88C9A37FA54CA2B64AE17F2484FE2DE6FBB278E56C23E90432F21F6C871404815F6A0171A29DE46846E78A07981E214A4120A4017809F5E7713B7EAC8 has finished reading this article, I believe you have a certain understanding of "what software PowerGhost is". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.