Crypto mining with a new payload: GHOSTENGINE. REF4578


There is a new REF4578 attack that can disable endpoints according to the article.

Is there a way for us to identify if Sophos endpoint affected from this type of attack? 

Best regards,



    Thanks for reaching out to the Sophos Community Forum. 

    It is not made entirely clear in the article if this is form of miner is also aimed at circumventing antivirus solutions, as only the term EDR is mentioned. While I have not seen mention of this specific malware/miner internally, a number of protection features in Sophos Endpoint are aimed at catching the behaviour that is mentioned. 

    Shellcode Injection: Sophos Central Admin: Dynamic Shellcode
    DLL Protection: Sophos Intercept X: LoadLib
    Additional attack techniques covered by Sophos Endpoint: Exploit Mitigation

    If attempts are made to disable or restrict Sophos Endpoint's ability to protect a device, self healing features will re-enable/reload protection features as needed as well. 

    You can perform additional checks on any environment running Sophos Intercept X Advanced by querying for PowerShell history. This is further explained in the following article. If you wish to ensure you're as well protected as possible, I'd suggest inquiring into Sophos MDR. The MDR team will actively monitor your environment, including running these types of checks for suspicious behaviour. 
    - PowerShell Command History Forensics

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids