The GHOSTENGINE malware exploits vulnerable drivers to disable established security solutions like EDR agents, with a complex campaign that involves downloading files using HTTP and FTP protocols, deploying a cryptominer called XMRig, and executing various malicious activities like disabling Windows Defender and creating scheduled tasks for persistence. The intrusion set, named REF4578, was discovered on May 6, 2024, setting off a chain of events that strategically terminate EDR agents to achieve the ultimate goal of deploying a persistent Monero crypto miner while emphasizing the importance of preventing and detecting early signs of suspicious activities like PowerShell execution from unusual directories and deploying vulnerable drivers.
https://cybersecuritynews.com/ghostengine-malware-terminates-edr-agents/