Digital Enemy of the Corporate Networks

To add up to the numerous malwares, a new member named, PowerGhost malware, has joined the family lately. Like wildfire, this malware is swiftly finding its way into the corporate networks, mostly corrupting workstations and servers. Reason being, the ill legitimate mining of the crypt currency and operating DDoS (Distributing Denial of Service) attacks for gaining major profit.

PowerGhost malware miner is stumbled upon the most in Brazil, Colombia, Turkey, and India. It has successfully and unfortunately, infected the organizations’ local area networks.

It’s imperative for all the corporate bodies to choose the best prevention software to counter the DDoS attacks. Attackers use file-less malware techniques to uphold the continuity and use it to circumvent the anti-virus detection and pile up on the vulnerabilities by making use of exploits like ‘Eternal Blue’.

Infection Modes of PowerGhost malware

At the outset, the victims were infected by remote administration tools or by using out of the way exploits and the PowerShell scripts which at an instant launched it into the hard drive.

Basically, PowerGhost performs as an obscure PowerShell script that comprises a number of core modules. For instance, libraries for mining operations, miners and PE file injection for Eternal Blue exploit.

Some of them are:-
msvcp120.dll and msvcr120.dll (Libraries)
Mimikatz (Miner)
PE injection and shellcode

The malware also tries to speed about the local networks using ‘Eternal Blue’ (MS17-010, CVE-2017-0144). Afterward, it lands into the new system with the surprising 32 and 64-bit exploits for MS-16-032, MS-15-051, and CVE-2018-8120.

The scripts operate at quite a few stages and can competently ‘Self-update’. Its module keeps checking its C2 server. The moment the module finds something, it automatically updates itself and ultimately, the script dispatches the miner by loading a PE file through the reflective PE injection.

According to one of the major anti-virus brands, with the assistance of Mimikatz, the miner could attain the user’s account and credentials from the current machine. The miner could also use them to make an attempt towards proliferating across the local networks by releasing a copy of itself via WMI and download the miner body from C2 server.

As a result of research it has been uncovered that for conducting DDoS attacks one of the many tools is one of the versions of PoweGhost and it is used for making money along with the mining operation profit.