GhostMiner fileless cryptomining malware has code that kills itself and other strains

Monero-mining malware GhostMiner is fileless, nearly undetectable, removes competing cryptominers, and may have provided experts with a way to eliminate cryptomining infections.


Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A newly-discovered cryptomining malware strain called GhostMiner is the first known fileless mining malware discovered. It also contains advanced competition-killing functions to eliminate other cryptomining infections.
  • Researchers from Minerva Labs have turned GhostMiner's own capabilities against it by extracting its miner-killing scripts into a tool for security pros to use during incident response.

A newly-discovered fileless cryptomining malware—the first of its kind—dubbed GhostMiner contains innovative coding that could make it dangerous, but may have inadvertently given security experts the keys to its own undoing.

Discovered by cybersecurity firm Minerva Labs, GhostMiner buries itself inside of two nested PowerShell evasion scripts: Invoke-ReflectivePEInjection.ps1 and Out-CompressedDll.ps1. A fully constructed GhostMiner payload is currently undetectable by all antivirus engines on VirusTotal.

GhostMiner specifically targets Oracle WebLogic servers and spreads by scanning IP addresses. During its scans, it looks for running instances of WebLogic software, MSSQL, or phpMyAdmin, and spreads to machines with those applications.

The newly discovered malware is also able to deactivate other cryptomining malware on machines it infects using a variety of tools. Bleeping Computer noted that "GhostMiner's author has put a lot more thought into assembling his code than most other crooks," and that's a definite fact.

Unfortunately for GhostMiner, it contains code that was used to create tools that destroy it, which Minerva Labs has built and distributed for security professionals to use in cleaning a variety of cryptomining infections.

GhostMiner: An advanced threat

GhostMiner is an innovative, complicated form of cryptomining malware that contains a few firsts in the rapidly-growing cryptomining infection space.

For starters, it appears to be the first fileless cryptomining infection to be discovered. Fileless infections are able to run directly from system memory, making it appear as if they are part of normal operations and not an injected script.

GhostMiner also employs some new techniques to kill off competing cryptomining malware running on infected machines. Minerva Labs doesn't specify which of its competition killers are new, but states that it is able to eliminate other miners by:

  • Killing miners that are currently running using the "Stop-Process -force" PowerShell command.
  • Stopping and deleting blacklisted miner services by name.
  • Removing miners that run as scheduled blacklisted tasks.
  • Stopping and deleting miners using their command line arguments using WMI and PowerShell.
  • Killing miners by looking at existing TCP connections and killing those associated with cryptomining ports.

Fighting fire with fire

Cryptomining malware that attacks its competitors isn't new, according to Bleeping Computer—at least one other cryptomining strain has made use of such techniques. In this case, however, security researchers have decided to turn the tables by using GhostMiner's advanced competition-killing techniques against it and other mining malware.

SEE: Incident response policy (Tech Pro Research)

Minerva Labs has released a script, extracted from GhostMiner, that they call MinerKiller. "It implements all the aforementioned tactics - removing known processes, tasks and services by name and unfamiliar ones by arguments or TCP connections typical to miners," Minerva Labs said.

MinerKiller can be downloaded from GitHub, but Minerva Labs includes a warning: It's not liable for any misuse of the script and users should take time to understand it thoroughly before use. TechRepublic also cannot verify the safety or effectiveness of the MinerKiller script and advises security professionals to use at their own risk.

Also see

bitcoin-circuit.jpg
Getty Images/iStockphoto

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox