At the outset, the victims were infected by remote administration tools or by using out of the way exploits and the PowerShell scripts which at an instant launched it into the hard drive.
Basically, PowerGhost performs as an obscure PowerShell script that comprises a number of core modules. For instance, libraries for mining operations, miners and PE file injection for Eternal Blue exploit.
Some of them are:-
msvcp120.dll and msvcr120.dll (Libraries)
PE injection and shellcode
The malware also tries to speed about the local networks using ‘Eternal Blue’ (MS17-010, CVE-2017-0144). Afterward, it lands into the new system with the surprising 32 and 64-bit exploits for MS-16-032, MS-15-051, and CVE-2018-8120.
The scripts operate at quite a few stages and can competently ‘Self-update’. Its module keeps checking its C2 server. The moment the module finds something, it automatically updates itself and ultimately, the script dispatches the miner by loading a PE file through the reflective PE injection.
According to one of the major anti-virus brands, with the assistance of Mimikatz, the miner could attain the user’s account and credentials from the current machine. The miner could also use them to make an attempt towards proliferating across the local networks by releasing a copy of itself via WMI and download the miner body from C2 server.
As a result of research it has been uncovered that for conducting DDoS attacks one of the many tools is one of the versions of PoweGhost and it is used for making money along with the mining operation profit.