1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • This devious malware can turn off your security protection withou

    From TechnologyDaily@1337:1/100 to All on Wed May 22 17:15:05 2024
    This devious malware can turn off your security protection without you even realizing and then download a load of cryptominers

    Date:
    Wed, 22 May 2024 17:00:37 +0000

    Description:
    After terminating the AVs, REF4578 downloads cryptominers and generates cash at the victims' expense.

    FULL STORY ======================================================================

    Hackers have found a way to install cryptominers on your devices, even if you have an antivirus program installed.

    The campaign was recently discovered by cybersecurity researchers from
    Elastic Security Labs and Antiy, who named it REF4578, but werent able to attribute it to any specific, or known, threat actor.

    The campaign is carried out by dropping a vulnerable driver onto the
    endpoint, through which they are able to disable, and ultimately uninstall, any antivirus programs you might have installed on your device. Once that's done, the malware drops XMRig, one of the most popular cryptocurrency miners out there. Furthermore, the victims dont seem to be targeted specifically,
    and its difficult to determine exactly how many computers were infected. Mining cryptos

    The researchers aren't sure exactly how the attackers are distributing the malware, but an educated guess would be either via phishing, social media and instant messaging, or through ad poisoning and impersonation.

    Whatever the method, the victims will first get dropped an exe file named Tiworker, which masquerades as a legitimate Windows file. This file drops a powerShell script called GhostEngine which, in turn, runs a number of different activities.

    Among them is to load two vulnerable kernel drivers: aswArPots.sys (Avast driver), used to terminate Endpoint Detection and Response (EDR) processes, and IObitUnlockers.sys (Iobit driver) which deletes the associated
    executable.

    GhostEngine can also disable Windows Defender, enable remote services, and clear different Windows event logs.

    When the process is done, and the coast is clear, GhostEngine will end up deploying XMRig, a known cryptocurrency miner. This tool, popular among cybercriminals, secretly mines the Monero (XMR) cryptocurrency, famous for
    its privacy and pseudonymity.

    To protect the endpoints, the researchers suggest IT teams look out for suspicious PowerShell executions, unusual process activity, and any network traffic pointing to cryptocurrency mining pools.

    Via BleepingComputer More from TechRadar Pro This evil malware disables your security software, then goes in for the kill Here's a list of the best firewalls today These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/this-devious-malware-can-turn-off-your- security-protection-without-you-even-realizing


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)