GhostMiner Uses Fileless Techniques, Removes Other Miners, But Makes Only $200

Security researchers from Minerva Labs have discovered a new strain of cryptocurrency-mining malware that uses PowerShell code to obtain fileless execution, and scans and stops the process of other miners that might be running on the same infected host.

But in spite of all these highly advanced techniques, this coinminer strain —codenamed GhostMiner by researchers— has failed to earn any substantial revenue for its creators.

Experts say that after a three-week-long campaign, GhostMiner only racked up 1.03 Monero, which is worth only around $200, at the time of writing.

This is peanuts compared to other coinmining crews who managed to rack up tens or hundreds of thousands, with one crew making nearly $3 million.

GhostMiner uses advanced techniques

But while GhostMiner appears to be a resounding failure in terms of operational success, the malware is certainly not a technical fiasco.

For starters, this appears to be the first fileless cryptocurrency miner malware strain detected. The fileless technique has become quite popular with malware in recent years, allowing them to run malicious code directly from memory, without leaving files on disk, hence fewer artifacts that classic antivirus engines could detect.

Further, GhostMiner also employs another advanced technique, of hunting competing miners and shutting down their processes. The technique isn't new, as it's been used by another nondescript coinminer strain, but this shows that GhostScript's author has put a lot more thought into assembling his code than most other crooks.

GhostMiner targets Oracle WebLogic servers

As for targeting, GhostMiner can infect systems running MSSQL, phpMyAdmin, and Oracle WebLogic servers. But according to Minerva Labs experts, only the WebLogic infection system was active when they analyzed the recent campaign.

Researchers say GhostMiner would scan random IPs for WebLogic servers, use the CVE-2017-10271 exploit to gain a foothold on a new victim's system, and run two PowerShell scripts to launch into its fileless operational mode, from where it downloads its coinmining component and the self-protection mechanism.

GhostMiner isn't the first or only coinminer that targets WebLogic servers, as two separate campaigns were detected active earlier this year [1, 2], with one of them earning more than $226,000 in revenue.

However, security researchers couldn't let GhostMiner's authors efforts go to waste, especially the work they put into creating an index of the various coinmining-related OS processes that someone might find on an infected host.

Minerva experts took this list and used it for good, and created a PowerShell script that hunts down and removes coinminers from infected hosts. The script is available on GitHub.