IronNet Blog

EDR-Killing Malware and the Need for Network Detection

Written by IronNet Threat Research | May 24, 2024 1:03:18 PM

A recent blog by Elastic Security Labs details GHOSTENGINE, a crypto miner that leverages an intrusion set (HIDDENSHOVEL) to disable endpoint security solutions (EDRs) on a victim host. While crypto miners may not pose a grave threat to an enterprise, the usage of anti-EDR functions is dangerous and likely to increase in prevalence. In today's cybersecurity landscape, confidence and reliance upon an enterprise endpoint solution are commonplace; this further increases when leveraging XDR capabilities to add network detection functions. While EDR is a critical component of any cybersecurity framework, Network Detection and Response (NDR) solutions play an equally important role as new vulnerabilities emerge.

In this example, GHOSTENGINE leverages various vulnerabilities and exploitation tools to disable components of EDRs to execute crypto mining functions. Once the EDR is rendered ineffective, few security solutions are left to detect and alert the enterprise to the activity. Network detection solutions, like IronNet’s Collective Defense, are designed to detect network anomalies and are unaffected by bypass techniques like those used in this campaign. In most cases, malware needs to communicate externally to command and control (C2) infrastructure for secondary payload downloads, additional instructions, and data exfiltration. All of these are opportunities for an enterprise network solution to detect and alert, regardless of an EDR’s effectiveness. 

IronNet Detection Spotlight: GHOSTENGINE 

Threat Intelligence Overview: 
        » 157 exclusive IronDefense NDR detections able to detect various aspects of GHOSTENGINE Command and Control (C2)  
        » 5 Collective Defense correlations for GHOSTENGINE Network alerts 
        » 1 unique indicator discovered by IronRadar fingerprinting the GHOSTENGINE X.509 certificate

Custom Network Detection Rules:

Rule Name  Description 
Outbound Suspicious Powershell Activity  Detects suspicious file downloads via Powershell or direct to IP communications via Powershell 
Outbound CURL to DottedQuad  Detects traffic that is to a dotted quad using curl as a user agent 

 

IOCs:

93.95.228[.]47 GHOSTENGINE C2 
93.184.221[.]240 GHOSTENGINE C2 
111.90.143[.]130 GHOSTENGINE C2 

 

Conclusion 

As outlined in the Gartner SOC Visibility Triad, an organization should have a combination of EDR, NDR, and SIEM for complete protection and visibility. GHOSTENGINE’s usage of EDR-killing capabilities highlights the importance of multiple layers of protection, enabling one tool to take over when another fails. IronNet’s Collective Defense solution provides organizations with powerful network detections and community correlations to detect activity like this, even when it may be missed by an endpoint tool. As a network tap, requiring no modifications to client machines, IronNet's solution is not vulnerable to client-side bypass techniques. While GHOSTENGINE may be a crypto miner aimed at making money at scale, the next usage of this technique could pose a much greater cyber risk. 

_________

INTERESTED IN LEARNING MORE ABOUT COLLECTIVE DEFENSE?

Contact us to speak to our team of cybersecurity experts or request a demo to see Collective Defense in action.