Demystifying PowerGhost: A Fileless Cryptominer

 Tejas Girme,  Qualys.

Powershell seems to be favourite framework for malware attackers in recent times. It became popular, when it helped malwares to have its Fileless existence in the infected system. The malware remained Fileless to easily disguise themselves from the security products to remain persistent. Later, the powershell usage was seen for malware widespread through macro embedded documents and JavaScript embedded PDF files.

The shift in the trend of leveraging the powershell features at extreme level is seen in our recent analysis of malware, named as PowerGhost. PowerGhost is a Fileless Cryptominer, which makes extensive use of powershell to make itself one of the persistent and most complex malware. The powershell usage is not just limited to downloading and executing executable components, but it far more.

The paper will present the thorough analysis of PowerGhost CryptoMiner. It will focus on how the powershell features are leveraged to access COM and WMI objects. The key points that I will touch upon through this paper:

  • Persistence Techniques
  • Fileless
  • PowerShell Usage: COM and WMI objects
  • Reflective DLL Loading
  • Network Traversal Capabilities
  • Exploiting ETERNALBLUE
  • Payload – Execute CryptoMiner
  • Detection Evasion Techniques

Tejas Girme

Tejas Girme is a Malware Researcher at Qualys. He has expertise in tracking and analyzing active malware threats. In recent time, he has been tracking Ransomware and CryptoMiner threats. Prior to Qualys, he has worked as Threat Research Engineer with Quick Heal Security Labs. He has total experience of 5+ years in malware analysis and reverse engineering.

The Dynamic Security Ecosystem
Other Topics