Minerva Labs researchers have conducted an analysis on "GhostMiner;" a cryptocurrency miner that is using fileless techniques in order to increase it's stealth capabilities. The miner spreads by exploiting vulnerable servers running Oracle WebLogic, MSSQL, and phpMyAdmin.
The mining component, a modified "XMRig" miner, is launched directly from memory after stopping other miners running on the system by using PowerShell's "Stop-Process -force" command on blacklisted miners from a hardcoded list.
Recommendation:
Cryptocurrency miners cause a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners are running unknowingly. Always keep software up to date to avoid being exploited by old vulnerabilities.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here 4to identify potential malicious activity.