Researchers have identified a new intrusion set known as REF4578, which utilizes vulnerable drivers to disable established security solutions (EDRs) on targeted machines. The complex attack installs a cryptocurrency miner, XMRig, and deploys a malicious payload known as GHOSTENGINE, which manages various aspects of the intrusion. This sophisticated campaign underscores the evolving tactics in cybersecurity threats, highlighting the need for robust defensive measures.
The REF4578 intrusion set was first detected on May 6, 2024. Leveraging a PE file disguised as the legitimate Windows TiWorker.exe, the attack initiates a sequence that involves downloading and executing a PowerShell script. The script orchestrates the entire malicious process, starting from the execution of hardcoded command lines to disabling security protocols. This method of operation showcases a significant evolution from previous malware campaigns, where simpler techniques were often employed.
Complexity of REF4578
Elastic Security Labs reported that the initial execution of the malicious Tiworker.exe file triggered several alarms due to its use of a known vulnerable driver. Upon execution, the file downloads a PowerShell script that manages the entire intrusion process. This script attempts to disable Windows Defender and enable remote services, among other actions. The level of sophistication in the REF4578 attack is a notable advancement from previous malware campaigns, reflecting a trend towards more complex and persistent cyber threats.
Role of GHOSTENGINE
GHOSTENGINE, the core component of the attack, is tasked with managing the machine’s modules. It primarily uses HTTP to download files, with fallback protocols like FTP in case of failure. GHOSTENGINE is responsible for disabling EDR agents, establishing persistence through scheduled tasks, and ultimately deploying the XMRig cryptocurrency miner. This multi-faceted approach highlights the potency and adaptability of modern malware.
Establishing Persistence
To ensure long-term presence on the infected system, the attack creates scheduled tasks such as OneDriveCloudSync, DefaultBrowserUpdate, and OneDriveCloudBackup. These tasks run with SYSTEM privileges, making them difficult to detect and remove. Additionally, GHOSTENGINE installs modules that can terminate security tools, check for software updates, and construct a backdoor for future access. This persistence mechanism is a key reason behind the campaign’s effectiveness.
Key Takeaways
Based on the analysis of the REF4578 intrusion, several actionable points emerge for enhancing cybersecurity defenses:
- Monitor and block suspicious PowerShell execution.
- Identify and mitigate executions from uncommon directories.
- Prevent unauthorized privilege escalation to system integrity levels.
- Detect and disable deployment of vulnerable drivers and associated kernel mode services.
The REF4578 intrusion set exemplifies the increasing complexity and sophistication of cyber threats. By leveraging vulnerable drivers and advanced persistence mechanisms, this attack bypasses traditional security measures and achieves its goal of deploying a cryptocurrency miner. Organizations must adopt proactive and multi-layered security strategies to detect and counteract such threats effectively. Enhanced monitoring of PowerShell activities, vigilant tracking of execution paths, and stringent privilege management are critical steps in mitigating these advanced attacks. Comparing this intrusion to past malware campaigns, it is evident that cyber threats are becoming more intricate, necessitating continuous evolution in defense tactics. Understanding and preparing for these advanced strategies are crucial for maintaining robust cybersecurity defenses.
