Novel cryptomining attacks deploying the GhostEngine payload to deactivate endpoint detection and response systems and distribute the XMRig miner through vulnerable kernel driver exploitation were described in separate reports from Elastic Security Labs and Antiy, according to BleepingComputer.
Intrusions commence with the execution of a Windows file-spoofing "Tiworker.exe" to download a PowerShell script that not only retrieves additional modules, disables Windows Defender, and establishes scheduled tasks but also makes way for the delivery and execution of the primary payload of GhostEngine, reported Elastic Security Labs researchers. GhostEngine would then proceed with EDR software termination and deletion, as well as the distribution of XMRig before ensuring persistence through the "oci.dll" file.
No specifics regarding the attackers and the campaign's victims have been provided by either study but Elastic Security researchers urged organizations to be wary of suspicious process activities and PowerShell execution, as well as prevent insecure drivers from creating files.