PowerGhost: Beware of ghost mining

Fileless malware infects workstations and servers in corporate networks.

Our experts recently discovered a miner focused primarily on corporate networks. The fileless nature of PowerGhost allows the malware to attach itself to victims’ workstations or servers without being noticed. Most of the attacks we’ve registered so far have been in India, Turkey, Brazil, or Colombia.

Having penetrated a company’s infrastructure, PowerGhost tries to log in to network user accounts through the legitimate remote administration tool Windows Management Instrumentation (WMI). The malware obtains logins and passwords using a data extraction tool called Mimikatz. The miner can also be distributed through the EternalBlue exploit for Windows, which was used by the creators of WannaCry and ExPetr. Theoretically, that vulnerability has been patched for a year, but it continues to work in practice.

Once on victims’ devices, the malware attempts to enhance its privileges through various OS vulnerabilities (see the Securelist blog post for technical details). After that, the miner gains a foothold in the system and starts to earn cryptocurrency for its owners.

Why is PowerGhost dangerous?

Like any miner, PowerGhost uses your computing resources to generate cryptocurrency. This reduces server and other device performance as well as significantly accelerates wear and tear, which leads to replacement costs.

However, compared with most such programs, PowerGhost is more difficult to detect because it doesn’t download malicious files to the device. And that means it can operate longer unnoticed on your server or workstation, and do more damage.

What’s more, in one version of the malware, our experts discovered a tool for DDoS attacks. The use of a company’s servers to bombard another victim can slow down or even paralyse operation activities. An interesting trait is malware’s ability to check if it is being run under a real operating system or in a sandbox, allowing it to bypass standard security solutions.


To avoid infection and protect equipment from attack by PowerGhost and similar malware, you should carefully monitor the security of corporate networks.

  • Don’t skip software and operating system updates. All vulnerabilities exploited by the miner have long been patched by vendors. Virus writers tend to base their developments on exploits for long-patched vulnerabilities.
  • Upgrade employee security awareness skills. Remember that many cyberincidents are caused by the human factor.
  • Use reliable security solutions with behavioural analysis technology — that’s the only way fileless threats can be caught. Kaspersky Lab’s business products detect both PowerGhost and its individual components, as well as many other malicious programs, including ones currently unknown.