GhostMiner: Crypto-Jacking Software Removes Other Miners so It Can Mine Monero

Security researchers at Minerva Labs have uncovered a new strain of cryptocurrency mining malware, dubbed GhostMiner, which uses “fileless” malware delivery techniques to land on systems. What makes it particularly remarkable is that if other crypto-jacking malware is already in the system, it will fight to remove it so it can mine Monero itself.

That said, in spite of this novel and advanced technique, Ghostminer has — as of yet — failed to earn any substantial revenue for its creators: after a three-week-long campaign, GhostMiner only racked up 1.03 Monero, which as of now is worth just over $200. This, of course, is nothing compared to other operations, like the Jenkins miner, which made over $3 million in Monero earlier this year.

Advanced Techniques

While GhostMiner, as of yet, has not been a financial success, the malware is certainly not a technical fiasco.

First off, this approach is the first fileless crypto-mining malware strain detected. The fileless technique has become quite popular with malware in recent years, allowing operations to run malicious code directly from memory, without leaving files on disk, therefore leaving fewer clues for antivirus engines to detect.

Further, GhostMiner employs other advanced techniques to hunt down competing miners and shutting down their processes. These include killing running miners by using PowerShell’s “Stop-Process-force” command with the aid of a hard-coded blacklist, stop and delete blacklisted miners, and even removing miners which are run as blacklisted scheduled tasks.

As for targeting, GhostMiner can infect systems running MSSQL, phpMyAdmin, and Oracle WebLogic servers. But according to Minerva Labs experts, only the WebLogic infection system was active when they analyzed the recent campaign.

While the techniques utilized by GhostMiner aren’t necessarily new by themselves, this is the first time they have been used together in one malicious application. And one thing’s for sure, they illustrate that GhostScript’s operators put a lot of thought into assembling their code, which shows just how far malware developers are willing to go to earn their illicit gains. 

Minerva Labs

Despite it’s lack of apparent monetary success so far, Minerva researchers couldn’t let GhostMiner’s authors efforts go to waste: the firms researchers have decided to turn the tables by using GhostMiner’s advanced competition-killing techniques against it and other mining malware.

The anti-malware platform has released a script, extracted from GhostMiner, that they call MinerKiller. “It implements all the aforementioned tactics – removing known processes, tasks, and services by name and unfamiliar ones by arguments or TCP connections typical to miners,” Minerva Labs said.

MinerKiller can be downloaded from GitHub, but Minerva Labs includes a warning: it’s not liable for any misuse of the script and users should take time to understand it thoroughly before use.