GHOSTENGINE加密挖矿恶意软件分析与防御指南<\/h1>

概述<\/h2>
GHOSTENGINE是一个复杂的恶意软件入侵集(REF4578)，主要目标是通过禁用安全解决方案(EDR)来部署持久性的门罗币(XMR)加密挖矿程序。该恶意软件由Elastic Security Labs发现，Antiy团队将其部分功能命名为HIDDENSHOVEL。<\/p>

主要特点<\/h2>

利用易受攻击的驱动程序(来自Avast和IObit)禁用EDR代理<\/li>
多阶段感染流程，包含多个恶意模块<\/li>
建立持久性机制确保长期驻留<\/li>
部署XMRig挖矿程序进行门罗币挖矿<\/li>
包含后门功能实现远程命令执行<\/li>

采用多种反检测和清除痕迹技术<\/li> <\/ul>

感染流程分析<\/h2>

初始感染阶段<\/h3>

初始执行<\/strong>：通过伪装成合法Windows文件(如Tiworker.exe)的PE文件启动感染链<\/li>
PowerShell脚本下载<\/strong>：二进制文件执行硬编码PowerShell命令行以下载混淆脚本<\/li>

C2通信<\/strong>：脚本从攻击者C2服务器下载工具、模块和配置，使用HTTP为主协议，FTP为备用协议<\/li> <\/ol>
清理阶段<\/h3>

清除先前感染<\/strong>：删除以下目录中的恶意文件：

C:\Program Files\Common Files\System\ado<\/code><\/li>
C:\PROGRA~1\COMMON~1\System\ado\<\/code><\/li> <\/ul> <\/li>
删除计划任务<\/strong>：清除以下计划任务： Microsoft Assist Job<\/li> System Help Center Job<\/li> SystemFlushDns<\/li> SystemFlashDnsSrv<\/li> <\/ul> <\/li> 禁用安全防护<\/strong>：禁用Windows Defender<\/li> 启用远程服务<\/li> <\/ul> <\/li> 日志清除<\/strong>：清理以下Windows事件日志通道： Application<\/li> Security<\/li> Setup<\/li> System<\/li> Forwarded Events<\/li> Microsoft-Windows-Diagnostics-Performance<\/li> Microsoft-Windows-AppModel-Runtime\/Operational<\/li> Microsoft-Windows-Winlogon\/Operational<\/li> <\/ul> <\/li> 磁盘清理<\/strong>：清理临时目录：C:\Windows\Temp\<\/code>, C:\Windows\Logs\<\/code>, C:\$Recycle.Bin\<\/code>, C:\windows\ZAM.krnl.trace<\/code><\/li> 若C盘空间不足，在其他卷(如C:\Windows\Fonts<\/code>或$RECYCLE.BIN\Fonts<\/code>)创建文件夹<\/li> <\/ul> <\/li> <\/ol> 持久性建立<\/h3> 创建以下计划任务确保长期驻留：<\/p> OneDriveCloudSync<\/strong>：每20分钟运行一次恶意服务DLL C:\Windows\System32\oci.dll<\/code><\/li> DefaultBrowserUpdate<\/strong>：每60分钟下载并执行脚本C:\Users\Public\run.bat<\/code><\/li> OneDriveCloudBackup<\/strong>：每40分钟执行一次C:\Windows\Fonts\smartsscreen.exe<\/code><\/li> <\/ol> 模块下载与执行<\/h3> 恶意软件下载并执行多个模块：<\/p> 路径<\/th> 类型<\/th> 描述<\/th> <\/tr> <\/thead> C:\Windows\System32\drivers\aswArPots.sys<\/code><\/td> Kernel driver<\/td> Avast的脆弱驱动程序<\/td> <\/tr> C:\Windows\System32\drivers\IObitUnlockers.sys<\/code><\/td> Kernel driver<\/td> IObit的脆弱驱动程序<\/td> <\/tr> C:\Windows\Fonts\curl.exe<\/code><\/td> PE executable<\/td> 用于通过cURL下载文件<\/td> <\/tr> C:\Windows\Fonts\smartsscreen.exe<\/code><\/td> PE executable<\/td> 核心负载(GHOSTENGINE)<\/td> <\/tr> C:\Windows\System32\oci.dll<\/code><\/td> Service DLL<\/td> 持久性\/更新模块<\/td> <\/tr> backup.png<\/code><\/td> Powershell script<\/td> 后门模块<\/td> <\/tr> kill.png<\/code><\/td> Powershell script<\/td> 注入并执行终止安全传感器的PE文件<\/td> <\/tr> <\/tbody> <\/table> 核心模块分析<\/h2> EDR代理控制器和矿工模块(smartsscreen.exe)<\/h3> EDR进程终止<\/strong>：<\/p> 扫描所有运行进程，与硬编码EDR代理列表比对<\/li> 使用Avast反rootkit驱动程序(aswArPots.sys<\/code>)通过PID终止进程<\/li> 使用IObit易受攻击驱动程序(IObitUnlockers.sys<\/code>)通过IOCTL 0x222124<\/code>删除安全代理二进制文件<\/li> <\/ul> <\/li> 挖矿程序部署<\/strong>：<\/p> 从C2服务器下载XMRig客户端，重命名为XMRig.smartscreen.exe<\/code><\/li> 执行XMRig及其驱动程序和配置文件，启动挖矿进程<\/li> <\/ul> <\/li> <\/ol> 更新\/持久化模块(oci.dll)<\/h3> 架构支持<\/strong>：提供32位和64位版本<\/li> 功能<\/strong>：创建系统持久性<\/li> 从C2服务器下载并执行更新脚本<\/li> 每次服务启动时加载并生成PowerShell一行代码执行<\/li> <\/ul> <\/li> <\/ol> EDR代理终止模块(kill.png)<\/h3> 注入技术<\/strong>：将shellcode注入当前进程<\/li> 解密并将PE文件加载到内存中<\/li> <\/ul> <\/li> 持续扫描<\/strong>：不断扫描新进程，终止任何新出现的EDR代理<\/li> <\/ol> PowerShell后门模块(backup.png)<\/h3> 通信机制<\/strong>：持续发送Base64编码的JSON对象，包含基于时间和计算机名的唯一ID<\/li> 示例：{"id":"171568624072626","host":"analysis"}<\/code><\/li> <\/ul> <\/li> 命令执行<\/strong>：接收base64编码命令<\/li> 执行并将结果发送回C2服务器<\/li> <\/ul> <\/li> <\/ol> 挖矿配置分析<\/h2> XMRig配置摘录：<\/p> { <\/span><\/span> "autosave"<\/span>: false<\/span>, <\/span><\/span> "background"<\/span>: true<\/span>, <\/span><\/span> "colors"<\/span>: true<\/span>, <\/span><\/span> "donate-level"<\/span>: 0<\/span>, <\/span><\/span> "donate-over-proxy"<\/span>: 0<\/span>, <\/span><\/span> "pools"<\/span>: [ <\/span><\/span> { <\/span><\/span> "algo"<\/span>: "rx\/0"<\/span>, <\/span><\/span> "coin"<\/span>: "monero"<\/span>, <\/span><\/span> "url"<\/span>: "pool.supportxmr[.]com:443"<\/span>, <\/span><\/span> "user"<\/span>: "468ED2Qcchk4shLbD8bhbC3qz2GFXqjAUWPY3VGbmSM2jfJw8JpSDDXP5xpkMAHG98FHLmgvSM6ZfUqa9gvArUWP59tEd3f"<\/span>, <\/span><\/span> "keepalive"<\/span>: true<\/span>, <\/span><\/span> "tls"<\/span>: true<\/span>, <\/span><\/span> "user-agent"<\/span>: "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/116.0.0.0 Safari\/537.36"<\/span>, <\/span><\/span> "verbose"<\/span>: 0<\/span>, <\/span><\/span> "watch"<\/span>: true<\/span>, <\/span><\/span> "pause-on-battery"<\/span>: false<\/span>, <\/span><\/span> "pause-on-active"<\/span>: false<\/span> <\/span><\/span> } <\/span><\/span> ] <\/span><\/span>} <\/span><\/span><\/code><\/pre>门罗币支付分析<\/h3> 支付ID<\/strong>: 468ED2Qcchk4shLbD8bhbC3qz2GFXqjAUWPY3VGbmSM2jfJw8JpSDDXP5xpkMAHG98FHLmgvSM6ZfUqa9gvArUWP59tEd3f<\/code><\/li> 交易示例<\/strong>：哈希: 7c106041de7cc4c86cb9412a43cb7fc0a6ad2c76cfdb0e03a8ef98dd9e744442<\/code><\/li> 金额: 0.1099 XMR (约14.86美元)<\/li> <\/ul> <\/li> 总收益<\/strong>：2024年1月至3月期间约60.70美元<\/li> <\/ul> MITRE ATT&CK映射<\/h2> 战术<\/th> 技术<\/th> <\/tr> <\/thead> Execution<\/td> T1059.001: Command and Scripting Interpreter: PowerShellT1059.003: Command and Scripting Interpreter: Windows Command Shell<\/td> <\/tr> Persistence<\/td> T1053.005: Scheduled Task\/Job: Scheduled Task<\/td> <\/tr> Defense Evasion<\/td> T1070.001: Indicator Removal: Clear Windows Event LogsT1036: MasqueradingT1055: Process Injection<\/td> <\/tr> Discovery<\/td> T1057: Process Discovery<\/td> <\/tr> Command and Control<\/td> T1041: Exfiltration Over C2 ChannelT1132.001: Data Encoding<\/td> <\/tr> Impact<\/td> T1496: Resource HijackingT1489: Service Stop<\/td> <\/tr> <\/tbody> <\/table> 检测与防御<\/h2> 检测指标<\/h3> 初始感染检测点<\/strong>：<\/p> 可疑的PowerShell执行<\/li> 从异常目录(如Fonts目录)执行<\/li> 权限提升至系统完整性<\/li> 部署易受攻击驱动程序并建立内核模式服务<\/li> <\/ul> <\/li> 网络流量检测<\/strong>：<\/p> DNS记录查找指向已知矿池域<\/li> HTTP\/HTTPS(80\/443端口)或Stratum协议(默认4444端口)的挖矿通信<\/li> <\/ul> <\/li> 行为检测规则<\/strong>：<\/p> 通过脚本解释器生成的服务控制<\/li> 创建本地定时任务<\/li> 从异常目录执行进程<\/li> Svchost产卵Cmd<\/li> 不寻常的亲子关系<\/li> 清除Windows事件日志<\/li> Microsoft Windows Defender篡改<\/li> 通过丢失DLL的潜在权限升级<\/li> 通过不可信路径进行二进制伪装<\/li> <\/ul> <\/li> <\/ol> 预防措施<\/h3> 恶意文件防范<\/strong>：阻止GHOSTENGINE相关文件执行<\/li> 防止Shellcode注入<\/li> <\/ul> <\/li> 漏洞驱动防护<\/strong>：阻止Avast(Windows.VulnDriver.ArPot<\/code>)和IObit(Windows.VulnDriver.IoBitUnlocker<\/code>)脆弱驱动程序的创建和执行<\/li> <\/ul> <\/li> YARA规则<\/strong>：使用Elastic Security提供的YARA规则检测相关恶意软件： Windows木马GHOSTENGINE<\/li> Windows.VulnDriver.ArPot<\/li> Windows.VulnDriver.IoBitUnlocker<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 观测数据(IOCs)<\/h2> 文件哈希<\/h3> SHA-256<\/th> 文件路径<\/th> 描述<\/th> <\/tr> <\/thead> 2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753<\/td> C:\Windows\Fonts\smartsscreen.exe<\/td> GHOSTENGINE EDR控制器模块<\/td> <\/tr> 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1<\/td> C:\Windows\System32\drivers\aswArPots.sys<\/td> Avast脆弱驱动程序<\/td> <\/tr> 2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae<\/td> C:\Windows\System32\drivers\IObitUnlockers.sys<\/td> Iobit脆弱驱动程序<\/td> <\/tr> 3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150<\/td> C:\Windows\System32\oci.dll<\/td> 更新\/持久化模块(64位)<\/td> <\/tr> 3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab<\/td> C:\Windows\System32\oci.dll<\/td> 更新\/持久化模块(32位)<\/td> <\/tr> 35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f<\/td> C:\Windows\Fonts\taskhostw.exe<\/td> 矿工客户端<\/td> <\/tr> 786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca<\/td> C:\Windows\Fonts\config.json<\/td> 矿工配置文件<\/td> <\/tr> 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5<\/td> C:\Windows\Fonts\WinRing0x64.sys<\/td> 矿工驱动程序<\/td> <\/tr> aac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b<\/td> C:\ProgramData\Microsoft\DeviceSync\SystemSync\Tiworker.exe<\/td> 初始加载器<\/td> <\/tr> 6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e<\/td> backup.png<\/td> GHOSTENGINE后门模块<\/td> <\/tr> 7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1<\/td> get.png<\/td> GHOSTENGINE加载器<\/td> <\/tr> cc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104<\/td> kill.png<\/td> GHOSTENGINE EDR终止模块<\/td> <\/tr> <\/tbody> <\/table> C2基础设施<\/h3> 类型<\/th> 值<\/th> <\/tr> <\/thead> 域名<\/td> download.yrnvtklot[.]com<\/td> <\/tr> IPv4<\/td> 111.90.158[.]40<\/td> <\/tr> 域名<\/td> ftp.yrnvtklot[.]com<\/td> <\/tr> IPv4<\/td> 93.95.225[.]137<\/td> <\/tr> 域名<\/td> online.yrnvtklot[.]com<\/td> <\/tr> <\/tbody> <\/table> 总结<\/h2> GHOSTENGINE是一个高度复杂的加密挖矿恶意软件，采用多阶段感染流程，利用脆弱驱动程序禁用安全解决方案，并建立持久性机制确保长期驻留。组织应重点关注初始感染阶段的检测，特别是异常PowerShell执行、从非标准目录加载以及脆弱驱动程序的部署。通过监控提供的IOCs和实施推荐的防御措施，可以有效降低GHOSTENGINE带来的风险。<\/p>

GHOSTENGINE加密挖矿恶意软件分析与防御指南<\/h1>

概述<\/h2> GHOSTENGINE是一个复杂的恶意软件入侵集(REF4578)，主要目标是通过禁用安全解决方案(EDR)来部署持久性的门罗币(XMR)加密挖矿程序。该恶意软件由Elastic Security Labs发现，Antiy团队将其部分功能命名为HIDDENSHOVEL。<\/p>

感染流程分析<\/h2>

核心模块分析<\/h2>

检测与防御<\/h2>

观测数据(IOCs)<\/h2>

概述<\/h2>
GHOSTENGINE是一个复杂的恶意软件入侵集(REF4578)，主要目标是通过禁用安全解决方案(EDR)来部署持久性的门罗币(XMR)加密挖矿程序。该恶意软件由Elastic Security Labs发现，Antiy团队将其部分功能命名为HIDDENSHOVEL。<\/p>