Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads

Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads

By Carl Maverick Pascual (Threats Analyst)


Cybercriminals continue to use cryptocurrency-mining malware to abuse computing resources for profit. As early as 2017, we have also observed how they have applied fileless techniques to make detection and monitoring more difficult.


On August 2, we observed a fileless cryptocurrency-mining malware, dubbed GhostMiner, that weaponizes Windows management instrumentation (WMI) objects for its fileless persistence, payload mechanisms, and AV-evasion capabilities. This GhostMiner variant was also observed to modify infected host files that are heavily used by Mykings, PowerGhost, PCASTLE and BULEHERO, among others.


This malware was observed mining Monero cryptocurrency, however, the arrival details of this variant has not been identified as of writing. An earlier documented sighting of GhostMiner was noted to have used multiple vulnerabilities in MSSQL, phpMyAdmin, and Oracle’s WebLogic to look for and attack susceptible servers.


GhostMiner Details


GhostMiner uses WMI Event Subscriptions to install persistence in an infected machine as well as execute arbitrary code.



Event Filter


\.ROOTsubscription:__EventFilter.Name=”PowerShell Event Log Filter”


EventNamespace : rootcimv2


Query : SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA ‘Win32_PerfFormattedData_PerfOS_System’


QueryLanguage : WQL       




FilterToConsumerBinding


\.ROOTsubscription:__FilterToConsumerBinding.Consumer=”CommandLineEventConsumer.Name=”PowerShell Event Log Consumer””,Filter=”__EventFilter.Name=”PowerShell Event Log Filter””


Consumer : CommandLineEventConsumer.Name=”PowerShell Event Log Consumer”


Filte ..

Support the originator by clicking the read the rest link below.