GhostMiner: Crypto-Jacking Software Removes Other Miners so It Can Mine Monero

GhostMiner: Crypto-Jacking Software Removes Other Miners so It Can Mine Monero

Security researchers at Minerva Labs have uncovered a new strain of cryptocurrency mining malware, dubbed GhostMiner, which uses “fileless” malware delivery techniques to land on systems. What makes it particularly remarkable is that if other crypto-jacking malware is already in the system, it will fight to remove it so it can mine Monero itself.

That said, in spite of this novel and advanced technique, Ghostminer has — as of yet — failed to earn any substantial revenue for its creators: after a three-week-long campaign, GhostMiner only racked up 1.03 Monero, which as of now is worth just over $200. This, of course, is nothing compared to other operations, like the Jenkins miner, which made over $3 million in Monero earlier this year.

Advanced Techniques

While GhostMiner, as of yet, has not been a financial success, the malware is certainly not a technical fiasco.

First off, this approach is the first fileless crypto-mining malware strain detected. The fileless technique has become quite popular with malware in recent years, allowing operations to run malicious code directly from memory, without leaving files on disk, therefore leaving fewer clues for antivirus engines to detect.

Further, GhostMiner employs other advanced techniques to hunt down competing miners and shutting down their processes. These include killing running miners by using PowerShell’s “Stop-Process-force” command with the aid of a hard-coded blacklist, stop and delete blacklisted miners, and even removing miners which are run as blacklisted scheduled tasks.

As for targeting, GhostMiner can infect systems running MSSQL, phpMyAdmin, and Oracle WebLogic servers. But according to Minerva Labs experts, only the WebLogic infection system was active when they analyzed the recent campaign.

While the techniques utilized by GhostMiner aren’t necessarily new by themselves, this is the first time they have been used together in one malicious application. And one thing’s for sure, they illustrate that GhostScript’s operators put a lot of thought into assembling their code, which shows just how far malware developers are willing to go to earn their illicit gains. 

Minerva Labs

Despite it’s lack of apparent monetary success so far, Minerva researchers couldn’t let GhostMiner’s authors efforts go to waste: the firms researchers have decided to turn the tables by using GhostMiner’s advanced competition-killing techniques against it and other mining malware.

The anti-malware platform has released a script, extracted from GhostMiner, that they call MinerKiller. “It implements all the aforementioned tactics – removing known processes, tasks, and services by name and unfamiliar ones by arguments or TCP connections typical to miners,” Minerva Labs said.

MinerKiller can be downloaded from GitHub, but Minerva Labs includes a warning: it’s not liable for any misuse of the script and users should take time to understand it thoroughly before use.

23.03.2018 / 13:49 167
Monero-Mining Calendar App Removed By Apple Monero-Mining Calendar App Removed By
After Calendar 2, a popular scheduling app in the Mac App Store, was updated with the ability to mine the Monero cryptocurrency on users’ devices for
Monero Mining Malware Attack Linked to Egyptian Telecom Giant Monero Mining Malware Attack Linked to
Unidentified entities at a telecom company connected to the Egyptian government are using malware to trick Middle Eastern Web users into unwittingly
Internet Providers Caught Deploying Crypto Mining Malware Internet Providers Caught Deploying
If it wasn’t bad enough with hackers and dodgy websites trying to hijack your computer hardware to mine some crypto coins, ISPs have been discovered
Hackers Target 400,000 Computers with Mining Malware Hackers Target 400,000 Computers with
More than 400,000 personal computers have been attacked in a large-scale attempt to distribute cryptocurrency mining malware. The hackers used
Microsoft Thwarts Massive Electroneum Mining Malware Campaign Microsoft Thwarts Massive Electroneum
Microsoft’s Windows Defender reportedly managed to prevent a massive Electroneum (ETN) mining campaign from spreading, according to the IT giant. Per
Researcher Finds Nearly 50,000 Websites Running Cryptocurrency Mining Malware Researcher Finds Nearly 50,000 Websites
Troy Mursch from Bad Packets Report recently conducted an investigation, in which he found that the ongoing cryptojacking trend has infected nearly
Comments (0)
Add a comment
Comment on