Saturday, December 28, 2024
HomeMalwarePowerGhost Malware Remotely Attack Corporate Network Servers & Workstations using EternalBlue Exploit

PowerGhost Malware Remotely Attack Corporate Network Servers & Workstations using EternalBlue Exploit

Published on

SIEM as a Service

Newly discovered  PowerGhost Malware Spreading across corporate networks that infecting both servers and workstations to illegally mining the crypt-currency and Perform DDoS Attacks.

Cybercriminals targeting large number corporate networks to mining the cryptocurrency and DDoS attack to generate huge profits.

Enterprise Networks should choose the best DDoS Attack prevention services to ensure the DDoS attack protection and prevent their network.

- Advertisement - SIEM as a Service

In this case, attackers using fileless malware techniques to maintain the persistence and it used to bypass the antivirus detection and leverage the corporate vulnerabilities using known exploits such as Eternalblue.

PowerGhost malware miner is encountered most often in India, Brazil, Columbia, and Turkey and infected a large number of corporate companies local area networks.

PowerGhost Malware Infection Techniques

Initially, victims affected using remote administration tools or remotely using exploits and the PowerShell scripts will download the miner’s and immediately launches it into the hard drive.

PowerGhost act as an Obfuscated PowerShell scripts that contains a number of core modules such as miners, libraries for mining operations and PE file injection for Eternalblue exploit.

  • Miner – mimikatz
  • libraries – msvcp120.dll and msvcr120.dll
  • PE injection and shellcode

Scripts performing the several stages and it is capable of self-update its module that keeps checking its C2 server, if it found any, then it automatically update itself.

According to kaspersky , With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI and download the miner body from C2 server.

PowerGhost try to spread across the local network using the EternalBlue exploit (MS17-010, CVE-2017-0144).

Later it escalates its privileges when it landing into the new system with the 32- or 64-bit exploits for MS16-032, MS15-051, and CVE-2018-8120. Finally, the script launches the miner by loading a PE file via reflective PE injection.

Researchers also found a tool for conducting DDoS attacks in one of the PowerGhost version to make extra money along with the mining operation profit.

Protect your corporate networks from future attacks and also Check your Companies DDOS Attack Downtime Cost.

Indicators of compromise

MD5:

AEEB46A88C9A37FA54CA2B64AE17F248
4FE2DE6FBB278E56C23E90432F21F6C8
71404815F6A0171A29DE46846E78A079
81E214A4120A4017809F5E7713B7EAC8

Also Read

Hackers Mined Monero Worth $90000 by Pushing 17 Malicious Images to a Docker Hub

Hackers using ETERNALBLUE Exploit in Cryptocurrency Mining Malware to Mine Monero using Vulnerable Windows Machines

The Pirate Bay Mining Monero Cryptocurrency – Beware & Here the Best TPB Alternative 2018

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...