GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

Researchers have discovered a cryptojacking campaign called GHOSTENGINE by Elastic Security Labs and HIDDEN SHOVEL by Antiy Labs. This campaign uses a BYOVD (Bring Your Own Vulnerable Driver) attack to bypass security solutions and install the XMRig miner. The attack begins with “Tiworker.exe,” which runs a PowerShell script to fetch obfuscated payloads from a C2 server, disguised as a PNG image. These payloads include vulnerable drivers and tools that disable Microsoft Defender, clear event logs, and create sufficient disk space for malware deployment by hiding files in the C:\Windows\Fonts folder. The campaign’s complexity ensures the successful installation and persistence of the miner.

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

Solutions

Services

Services

Knowledge

Solutions

Industries

Contact

Invinsense

About

INDIA | Ahmedabad

INDIA | Chennai

INDIA | Kochi

INDIA | Thane

UK | London

USA | New York

KUWAIT

SRI LANKA

Address

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

22-May-24

Solutions

Services

Services

Knowledge

Solutions

Industries

Contact

Invinsense

About

INDIA | Ahmedabad

INDIA | Chennai

INDIA | Kochi

INDIA | Thane

UK | London

USA | New York

KUWAIT

SRI LANKA

Address