PowerGhost: a new cryptominator without destination files for corporate networks around the world

Researchers at Kaspersky Lab have discovered a new cryptocurrency miner – PowerGhost – that has hit corporate networks in different parts of the world, mainly in Latin America. This is the latest episode in a worrying trend for cyber criminals who are motivated by greed, to use more and more software "mining" for targeted attacks. As this trend evolves, companies are at risk because these miners sabotage and slow down their computer networks, causing damage to the entire company and making a profit.

Miners of cryptocurrency are now a hot topic in the cybersecurity world. This specialized "mining" software creates new virtual currencies by using the computing power of the computers or mobile devices of their victims. They carry out this malicious activity at the expense of legitimate users and benefit without their knowledge of their machines. The threat has exploded lately and replaces ransomware as the main type of malware, as shown by a previous study by Kaspersky Lab. The rise of PowerGhost adds an extra dimension to the phenomenon. It shows that developers of malicious miners focus on targeted attacks to increase their revenues, as predicted by Kaspersky Lab researchers.

A discrete operating mode, difficult to neutralize.
PowerGhost spreads across corporate networks and infects desktops and servers. The main victims of this attack so far are users in companies in Brazil, Colombia, India and Turkey. It is interesting to note that PowerGhost uses various fileless techniques to discreetly enter the corporate network, that is, the minor does not register directly on a disk, which means that its detection and neutralization is more complicated.

The infection of a machine is carried out remotely by abuse of the vulnerability or by means of management tools of type RAT. Once the machine has been infected, the bulk of the minor is downloaded and executed without being stored on the hard drive. This is why cyber criminals can ensure that the minor performs automatic updates, spreads in the network and starts the cryptome process.

"PowerGhost's attacks we've seen are focused on corporate networks, using desktop and server computing power to generate cryptocurrency for hackers." Malicious cryptocurrency mining is a real threat to businesses, dramatically reducing IT performance and hardware use is accelerating, with additional costs as a result, says Ronan Mouchoux, security researcher at Kaspersky Lab.

Kaspersky Lab products detect this threat under the following names:

• PDM: Trojan.Win32.Generic

• PDM: Exploit.Win32.Generic

• HEUR: Trojan.Win32.Generic

• no virus: HEUR: RiskTool.Win32.BitMiner.gen

To reduce the risk of cryptomide infection, users should take the following precautions:

1. Always update the software on all used equipment. Use tools that automatically detect vulnerabilities and download and install patches to prevent cryptomers from exploiting vulnerabilities.

2. Neglect no less obvious goals, such as queue management systems, POS terminals (point-of-sale) and even vending machines. This type of equipment can also be hacked for the production of cryptocurrency.

3. Use a special security solution that includes application management, behavioral detection, and vulnerability reduction components that monitor suspicious software actions and block the execution of malicious files. Kaspersky Endpoint Security for Business integrates these functions.

4. Protect users and IT teams in the organization to protect the business environment, keep sensitive data out and restrict access.