GHOSTENGINE Malware Terminates EDR Agents That Interfere In Their Process

Researchers discovered REF4578, an intrusion set that uses vulnerable drivers to disable established security solutions (EDRs) for crypto mining and deploys a malicious payload known as GHOSTENGINE.

GHOSTENGINE is in charge of locating and running the machine’s modules. To download files from a configured domain, it mostly uses HTTP, with a backup IP in case the domain is unavailable. It also uses FTP as a backup protocol that includes embedded credentials. 

This campaign required an unusual level of complexity to ensure the XMRIG miner would be installed and persistent.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

REF4578 Execution Flow

Elastic Security Labs reports that the REF4578 intrusion started on May 6, 2024, with the execution of a PE file called Tiworker.exe that was posing as the genuine Windows TiWorker.exe file. 

The telemetry recorded the following alarms, which suggested that a known vulnerable driver had been used.

REF4578 Execution Flow

This file downloads and runs a PowerShell script that manages the intrusion’s whole execution flow when it is executed. 

According to analysis, this program executes a hardcoded PowerShell command line to obtain an obfuscated script called get.png. This script is then used to download more tools, modules, and configurations from the attacker C2.

The powershell script attempts to disable Windows Defender, enable remote services and clean the Windows event log channels. 

get.png disabling Windows Defender and enabling remote services

Next, to establish persistence, get.png creates the OneDriveCloudSync,DefaultBrowserUpdate, and OneDriveCloudBackup scheduled tasks as SYSTEM.

GHOSTENGINE installs a number of modules that can check for software updates, build with security tools, and construct a backdoor.

The main function of the smartscreen.exe module is to end any running EDR agent processes before downloading and setting up a cryptocurrency miner.

“The ultimate goal of the REF4578 intrusion set was to gain access to an environment and deploy a persistent Monero crypto miner, XMRig”, researchers said.


As a result, it is imperative that the following early acts be prevented and detected first:

  • Suspicious PowerShell execution
  • Execution from unusual directories
  • Elevating privileges to system integrity
  • Deploying vulnerable drivers and establishing associated kernel mode services.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.