A lot of work went into this malware for very little payoff, except for security researchers.
GhostMiner is a fairly advanced strain of malware, that is almost certainly a failure for the creator. The software is yet another cryptocurrency miner, yet it appears to be the first crypto-miner that is fileless. The fileless technique allows the malware to run code directly from memory, instead of storing files that can be easily found by malware and antivirus programs.
Besides being fileless, GhostMiner also cleans up the place before going to work. Once operating on the system, it seeks and shuts down other crypto-miners operating within the system. The malware is targeting MSSQL, phpMyAdmin, and Oracle WebLogic servers, however it appears only that infections have only occurred in Oracle WebLogic servers at this point.
Despite the work that the malware creator put into the creation of this miner, they obviously haven’t seen a payoff that would make it worth it. Security experts state that in the three week campaign, the malware only collected around $200 worth of Monero.
While the malware creator certainly isn’t getting rich off this scheme, all of their work was not for nothing. Researchers have taken the information gleaned from the malware, specifically the what the malware uses to identify and shut down other crypto-miners, and have build a PowerShell script that will hunt down and remove miners from infected hosts.
Talk about making lemonade out of lemons.
Source: Bleeping Computer