Technology NewsTechnology NewsTechnology News
  • Computing
  • AI
  • Robotics
  • Cybersecurity
  • Electric Vehicle
  • Wearables
  • Gaming
  • Space
Reading: Intrusion Set REF4578 Disables Security Solutions
Share
Font ResizerAa
Technology NewsTechnology News
Font ResizerAa
Search
  • Computing
  • AI
  • Robotics
  • Cybersecurity
  • Electric Vehicle
  • Wearables
  • Gaming
  • Space
Follow US
  • Cookie Policy (EU)
  • Contact
  • About
© 2025 NEWSLINKER - Powered by LK SOFTWARE
Cybersecurity

Intrusion Set REF4578 Disables Security Solutions

Highlights

  • Researchers discovered REF4578 using vulnerable drivers to disable security solutions.

  • The attack includes the GHOSTENGINE payload for managing modules and deploying XMRig miner.

  • Sophisticated persistence mechanisms highlight the need for enhanced cybersecurity measures.

Samantha Reed
Last updated: 22 May, 2024 - 7:23 pm 7:23 pm
Samantha Reed 1 year ago
Share
SHARE

Researchers have identified a new intrusion set known as REF4578, which utilizes vulnerable drivers to disable established security solutions (EDRs) on targeted machines. The complex attack installs a cryptocurrency miner, XMRig, and deploys a malicious payload known as GHOSTENGINE, which manages various aspects of the intrusion. This sophisticated campaign underscores the evolving tactics in cybersecurity threats, highlighting the need for robust defensive measures.

Contents
Complexity of REF4578Role of GHOSTENGINEEstablishing PersistenceKey Takeaways

The REF4578 intrusion set was first detected on May 6, 2024. Leveraging a PE file disguised as the legitimate Windows TiWorker.exe, the attack initiates a sequence that involves downloading and executing a PowerShell script. The script orchestrates the entire malicious process, starting from the execution of hardcoded command lines to disabling security protocols. This method of operation showcases a significant evolution from previous malware campaigns, where simpler techniques were often employed.

Complexity of REF4578

Elastic Security Labs reported that the initial execution of the malicious Tiworker.exe file triggered several alarms due to its use of a known vulnerable driver. Upon execution, the file downloads a PowerShell script that manages the entire intrusion process. This script attempts to disable Windows Defender and enable remote services, among other actions. The level of sophistication in the REF4578 attack is a notable advancement from previous malware campaigns, reflecting a trend towards more complex and persistent cyber threats.

Role of GHOSTENGINE

GHOSTENGINE, the core component of the attack, is tasked with managing the machine’s modules. It primarily uses HTTP to download files, with fallback protocols like FTP in case of failure. GHOSTENGINE is responsible for disabling EDR agents, establishing persistence through scheduled tasks, and ultimately deploying the XMRig cryptocurrency miner. This multi-faceted approach highlights the potency and adaptability of modern malware.

Establishing Persistence

To ensure long-term presence on the infected system, the attack creates scheduled tasks such as OneDriveCloudSync, DefaultBrowserUpdate, and OneDriveCloudBackup. These tasks run with SYSTEM privileges, making them difficult to detect and remove. Additionally, GHOSTENGINE installs modules that can terminate security tools, check for software updates, and construct a backdoor for future access. This persistence mechanism is a key reason behind the campaign’s effectiveness.

Key Takeaways

Based on the analysis of the REF4578 intrusion, several actionable points emerge for enhancing cybersecurity defenses:

  • Monitor and block suspicious PowerShell execution.
  • Identify and mitigate executions from uncommon directories.
  • Prevent unauthorized privilege escalation to system integrity levels.
  • Detect and disable deployment of vulnerable drivers and associated kernel mode services.

The REF4578 intrusion set exemplifies the increasing complexity and sophistication of cyber threats. By leveraging vulnerable drivers and advanced persistence mechanisms, this attack bypasses traditional security measures and achieves its goal of deploying a cryptocurrency miner. Organizations must adopt proactive and multi-layered security strategies to detect and counteract such threats effectively. Enhanced monitoring of PowerShell activities, vigilant tracking of execution paths, and stringent privilege management are critical steps in mitigating these advanced attacks. Comparing this intrusion to past malware campaigns, it is evident that cyber threats are becoming more intricate, necessitating continuous evolution in defense tactics. Understanding and preparing for these advanced strategies are crucial for maintaining robust cybersecurity defenses.

You can follow us on Youtube, Telegram, Facebook, Linkedin, Twitter ( X ), Mastodon and Bluesky

You Might Also Like

Law Enforcement Shuts Down AVCheck to Block Cybercriminal Tool Access

FBI Arrests DIA Insider for Alleged Classified Info Leak

Senators Demand DHS Restore Cyber Safety Review Board After Hack

Treasury Department Stops Crypto Scam Network With Sanctions

Attackers Target Ivanti EPMM Flaws, Breaching Major Sectors

Share This Article
Facebook Twitter Copy Link Print
Samantha Reed
By Samantha Reed
Samantha Reed is a 40-year-old, New York-based technology and popular science editor with a degree in journalism. After beginning her career at various media outlets, her passion and area of expertise led her to a significant position at Newslinker. Specializing in tracking the latest developments in the world of technology and science, Samantha excels at presenting complex subjects in a clear and understandable manner to her readers. Through her work at Newslinker, she enlightens a knowledge-thirsty audience, highlighting the role of technology and science in our lives.
Previous Article iPad Pro Effortlessly Handles Genshin Impact
Next Article Astronomers Track Shifting Black Hole Beams

Stay Connected

6.2kLike
8kFollow
2.3kSubscribe
1.7kFollow

Latest News

Wordle Challenges Players With ‘HABIT’ in May 31 Puzzle
Gaming
Persona AI Develops Industrial Humanoids to Boost Heavy Industry Work
AI
Samsung Drops Galaxy Watch 7 Price and Bundles SmartTag
Wearables
Investors Prioritize Fast Exits as Safety Redefines Wealth Allocation
Technology
DeepSeek Restricts Free Speech with R1 0528 AI Model
AI
NEWSLINKER – your premier source for the latest updates in ai, robotics, electric vehicle, gaming, and technology. We are dedicated to bringing you the most accurate, timely, and engaging content from across these dynamic industries. Join us on our journey of discovery and stay informed in this ever-evolving digital age.

ARTIFICAL INTELLIGENCE

  • Can Artificial Intelligence Achieve Consciousness?
  • What is Artificial Intelligence (AI)?
  • How does Artificial Intelligence Work?
  • Will AI Take Over the World?
  • What Is OpenAI?
  • What is Artifical General Intelligence?

ELECTRIC VEHICLE

  • What is Electric Vehicle in Simple Words?
  • How do Electric Cars Work?
  • What is the Advantage and Disadvantage of Electric Cars?
  • Is Electric Car the Future?

RESEARCH

  • Robotics Market Research & Report
  • Everything you need to know about IoT
  • What Is Wearable Technology?
  • What is FANUC Robotics?
  • What is Anthropic AI?
Technology NewsTechnology News
Follow US
About Us   -  Cookie Policy   -   Contact

© 2025 NEWSLINKER. Powered by LK SOFTWARE
Welcome Back!

Sign in to your account

Register Lost your password?