Demystifying PowerGhost: A Fileless Cryptominer
Tejas Girme, Qualys.
The shift in the trend of leveraging the powershell features at extreme level is seen in our recent analysis of malware, named as PowerGhost. PowerGhost is a Fileless Cryptominer, which makes extensive use of powershell to make itself one of the persistent and most complex malware. The powershell usage is not just limited to downloading and executing executable components, but it far more.
The paper will present the thorough analysis of PowerGhost CryptoMiner. It will focus on how the powershell features are leveraged to access COM and WMI objects. The key points that I will touch upon through this paper:
- Persistence Techniques
- PowerShell Usage: COM and WMI objects
- Reflective DLL Loading
- Network Traversal Capabilities
- Exploiting ETERNALBLUE
- Payload – Execute CryptoMiner
- Detection Evasion Techniques
Tejas Girme is a Malware Researcher at Qualys. He has expertise in tracking and analyzing active malware threats. In recent time, he has been tracking Ransomware and CryptoMiner threats. Prior to Qualys, he has worked as Threat Research Engineer with Quick Heal Security Labs. He has total experience of 5+ years in malware analysis and reverse engineering.