Fileless Malware PowerGhost Targets Corporate Systems

Security researchers reported a fileless cryptocurrency-mining malware targeting corporate servers and workstations. Dubbed PowerGhost (detected as TROJ_BLUTEAL.D, DDOS_NITOL.SMC and Coinminer_CryptoNight.SM-WIN64), the malware uses a combination of Powershell and EternalBlue to embed and spread itself undetected across computers and servers in organizations. Attackers can also use it for distributed denial of service (DDoS) attacks.

PowerGhost was seen utilizing legitimate software tools such as Windows Management Instrumentation (WMI), infecting systems using an obfuscated Powershell script containing the core code and modules for the miner. The script downloads the miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll used to launch the miner, the EternalBlue exploit shellcode, and a reflective PE injection module.

Without writing into the hard drive, the Powershell script runs to communicate with the C&C server and update to the latest version, getting the user account details from the infected machine using mimikatz in the process. It searches and propagates itself via the local network with WMI and EternalBlue, and escalates user privileges on the new infected machines through 32- and 64-bit exploits (MS16-032, MS15-051 and CVE-2018-8120). PowerGhost saves all the modules as a WMI class, and activates a one-line Powershell script every 90 minutes to gain traction while launching the miner with the reflective PE injection. A variant of the malware was detected to include a tool for DDoS that can scan for virtual environments such as a sandbox. Researchers take this payload inclusion as a sign that attackers are hoping to make extra money by offering DDoS as a service.

[Read: Cryptocurrency miner uses WMI and EternalBlue to spread filelessly]

Organizations can secure their systems with the following recommendations:

  • Update software and firmware patches from legitimate vendors regularly. Alternative virtual patches are also available for companies still using legacy systems.
  • Restrict and/or disable WMI access rights as needed, limiting it to IT administrators. Since not all machines require WMI service, this reduces WMI attack risks and vectors.


 Trend Micro Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring, and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Endpoint Sensor will also be effective in monitoring events related to WMI, as this product will help quickly examine what processes or events are triggering the malicious activity. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.