Researchers spot cryptojacking attack that disables endpoint protections

Researchers spot cryptojacking attack that disables endpoint protections

Enlarge (credit: Getty Images)

said researchers from Elastic Security Labs, who discovered the attacks.

When it first executes, GhostEngine scans machines for any EDR, or endpoint protection and response, software that may be running. If it finds any, it loads drivers known to contain vulnerabilities that allow attackers to gain access to the kernel, the core of all operating systems that’s heavily restricted to prevent tampering. One of the vulnerable drivers is an anti-rootkit file from Avast named aswArPots.sys. GhostEngine uses it to terminate the EDR security agent. A malicious file named smartscreen.exe then uses a driver from IObit named iobitunlockers.sys to delete the security agent binary.

Read 10 remaining paragraphs | Comments

Article Tags:
Article Categories:
Technology