A new mining malware, dubbed ‘GhostMiner’ by its discoverer Minerva Labs (minerva-labs.com), is the first crypto-jacking infection to ensure maximum profit by killing off its rivals. GhostMiner is also the first ‘fileless’ mining malware, running code directly from memory without leaving files on disk.
If another crypto-jacking malware is already in the system, GhostMiner will remove it so that it alone can mine Monero cryptocurrency coins. GhostMiner first searches for and kills all miners on its blacklist using the Windows End Process force command, and then removes any remaining miners by going through a list of ports associated with miners and stopping any miners it finds.
Cryptocurrency mining has become as lucrative for cybercriminals as ransomware. But, as far as we know, GhostMiner has so far earned only around 1.5 Monero worth $300; small change compared with the Jenkins miner that made $3 million in Monero earlier this year. But GhostMiner’s author may be hiding additional funds elsewhere according to Minerva Labs, “It is highly plausible that there are other addresses used in this campaign, undetectable due to Monero's anonymity features.”
GhostMiner’s author put in a lot of hours assembling its aggressive code. A fully deployed GhostMiner payload is currently undetectable by all brand name antivirus engines. It spreads by randomly probing IP addresses until it finds a target, and then gains a foothold in the new victim’s system by burying itself inside of two nested evasion scripts, then running the scripts to launch into its fileless operational mode, from which it downloads its coinmining component.
The efforts of GhostMiner's author will not go to waste. Minerva Labs is using GhostMiner’s code against it and other mining malware with a script extracted from GhostMiner that they call MinerKiller. Minerva Labs said, “It implements all the aforementioned tactics – removing known processes, tasks, and services by name and unfamiliar ones by arguments or TCP connections typical to miners.” Incident response teams can write their own scripts for removing malicious miners by downloading MinerKiller from GitHub.
By: BGN Editorial Staff