Crypto-miners are becoming alarmingly widespread. In fact, a new form of sophisticated miner was lately discovered. The miner, named GhostMiner, uses advanced techniques copied from the malware world.
For example, it uses Windows built-in PowerShell framework to run in file-less mode. This technique is popular practice used by malware, allowing them to run completely from memory, leaving no trace on the file system. As a result, GhostMiner is less susceptible to detection by conventional anti-malware solutions. Furthermore, GhostMiner looks to spread at the environment. It scans random IP addresses, looking to attack servers running MSSQL, Oracle WebLogic and phpMyAdmin. GhostMiner also leverages a hard-coded blacklist to hunt down and kill competing miners on the victim machine. Though this kind of behaviour was observed in the past, and it’s not completely new, it gives us a closer look at the author’s nefarious intentions.
The good news is that SentinelOne protects against GhostMiner. With its unique machine learning techniques, SentinelOne technology detects the miner behavioural patterns and prevents it from running.
In this video you can observe how SentinelOne agent installed on a “victim” machine was able to detect GhostMiner and protect from it. The presented use case demonstrates how an attacker connects remotely to the target machine and launches the attack in-memory. SentinelOne agent detects the lateral movement and the usage of file-less PowerShell-based malware, as presented at the SentinelOne console. It then mitigates the threat, by killing the malicious process. All of that is done in few milliseconds.