Researchers at Kaspersky Lab have discovered a new form of cryptojacking malware that has targeted corporations in multiple countries.
“The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks, infecting both workstations and servers,” the company wrote in a blog post.
The fileless malware remains inconspicuous to the user and undetected by antivirus technologies, with the victim’s machine being infected remotely using exploits or remote administration tools such as Windows Management Instrumentation. Because the virus isn’t stored directly on a computer’s hard drive, it is harder to detect.
Once installed, it mines an undisclosed cryptocurrency, which has become one of the most popular ways for cybercriminals to make money — surpassing ransomware.
“PowerGhost raises new concerns about crypto-mining software. The miner we examined indicates that targeting consumers is not enough for cybercriminals anymore – threat actors are now turning their attention to enterprises, too. Cryptocurrency mining is set to become a huge threat to the business community,” said David Emm, principal security researcher at Kaspersky Lab, according to ZDNet.
So far, PowerGhost is reportedly seen most often on corporate networks in India, Brazil, Colombia and Turkey. It has also been detected in Europe and North America.
Another factor that makes PowerGhost so dangerous: It is an obscured PowerShell script which contains a shellcode for deploying the EternalBlue exploit to spread across the network. EternalBlue is the leaked NSA hacking tool which went on to power the WannaCry and NotPetya attacks.
Researchers note that one version of PowerGhost can also be used for conducting DDoS attacks, which could be a way for the creators of the malware to use it as an additional means of income.