Gh0st RAT, a well-known remote access trojan, has recently resurfaced, delivered by an advanced dropper called Gh0stGambit. This new campaign is part of a sophisticated drive-by download scheme specifically targeting Chinese-speaking Windows users. The infection begins with a fake website (“chrome-web[.]com”) posing as a legitimate source for downloading Google’s Chrome browser. Unsuspecting users download an MSI installer that contains both a legitimate Chrome setup executable and a malicious installer, “WindowsProgram.msi,” which launches shellcode to load Gh0stGambit. This dropper evades detection by checking for security software like 360 Safe Guard and Microsoft Defender Antivirus before connecting to a command-and-control server to retrieve Gh0st RAT. Active since 2008 and primarily used by China-nexus cyberespionage groups, Gh0st RAT is a feature-rich malware capable of process termination, file removal, audio and screenshot capture, remote command execution, keylogging, and data exfiltration. It also hides registry entries, files, and directories using rootkit capabilities and can drop Mimikatz, enable RDP, access Tencent QQ account identifiers, clear Windows event logs, and erase data from various Chinese browsers. eSentire, the cybersecurity firm that uncovered this activity, highlights that the campaign targets Chinese-speaking users through Chinese-language web lures and applications, with the malware sharing similarities with a variant tracked by the AhnLab Security Intelligence Center as HiddenGh0st. The persistence and evolution of Gh0st RAT emphasize the effectiveness of drive-by download attacks and the necessity for continuous security training and awareness programs. Simultaneously, Broadcom-owned Symantec has reported an increase in phishing attacks using Large Language Models (LLMs) to generate malicious PowerShell and HTML code, further illustrating the growing sophistication of cyber threats.

Technical Details

1. CVE ID: Not applicable (This is a malware distribution campaign, not a specific software vulnerability)
2. Vulnerability Type: Drive-by download, social engineering
3. Affected Product: Windows operating systems
4. Impact: Remote access, data theft, system compromise
5. Indicators of Compromise (IoCs)

• Domain: chrome-web[.]com (malicious Chrome installer distribution site)
• Files:

1. msi (malicious MSI installer)
2. msi (malicious component within ChromeSetup.msi)
3. sys (encrypted payload file)

• Directories: C:\Program Files\Windows Defenderr (fake directory created by the malware)
• Registry Keys: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (for persistence)
• File Extensions: VT (associated with the main payload)

With Gh0st RAT deployed, the attacker can perform various malicious actions:

• Deploy Mimikatz for credential harvesting
• Enable Remote Desktop Protocol (RDP) on compromised hosts
• Access Tencent QQ account identifiers
• Clear Windows event logs
• Erase data from Chinese browsers (360 Secure Browser, QQ Browser, Sogou Explorer)

The impact of this attack is severe and multi-faceted:

• Data Theft: Gh0st RAT's capabilities allow for wholesale exfiltration of sensitive data, including keystrokes, screenshots, and audio recordings.
• Persistent Access: The sophisticated persistence mechanisms ensure long-term access to compromised systems, allowing for ongoing espionage activities.
• Credential Compromise: By deploying tools like Mimikatz, attackers can harvest user credentials, potentially leading to lateral movement within networks.
• Privacy Violation: The trojan's ability to capture audio and screenshots represents a significant privacy breach for affected users.
• System Integrity Compromise: The rootkit capabilities of Gh0st RAT allow it to hide its presence, making detection and removal challenging.
• Potential for Further Attacks: Compromised systems can be used as launching points for attacks on other networks or as part of a botnet.

Infection Mechanism

Malicious Website

The infections originate from a fake website (“chrome-web[.]com”) that serves malicious installer packages disguised as Google’s Chrome browser. This indicates that users searching for the Chrome browser on the web are being targeted.

Delivery Method

The MSI installer downloaded from the fraudulent website contains two files:

1. A legitimate Chrome setup executable.
2. A malicious installer named “WindowsProgram.msi”.

The latter is used to launch shellcode responsible for loading the Gh0stGambit dropper.

Evasion Tactics

The dropper checks for the presence of security software, such as 360 Safe Guard and Microsoft Defender Antivirus, before establishing contact with a command-and-control (C2) server to retrieve Gh0st RAT. This tactic helps it evade detection and ensure successful deployment.

Gh0st RAT: A Persistent Threat

Historical Context

Gh0st RAT, active since 2008, has evolved into various forms over the years, primarily utilized by China-nexus cyberespionage groups. Notably, some versions of this trojan have infiltrated poorly secured MS SQL server instances, using them as conduits to deploy the Hidden open-source rootkit. This long-standing malware has been adapted to execute a wide range of malicious activities, making it a persistent threat in the cybersecurity landscape. Its ongoing evolution and deployment underscore its significance in cyberespionage efforts, reflecting the sophisticated and adaptive strategies employed by threat actors to exploit vulnerable systems and maintain their foothold in targeted networks.

Capabilities

Gh0st RAT is a feature-rich malware written in C++. Its capabilities include:

• Terminating processes.
• Removing files.
• Capturing audio and screenshots.
• Remote command execution.
• Keylogging
• Data exfiltration.
• Hiding registry entries, files, and directories using rootkit capabilities.

Additionally, it can drop Mimikatz, enable Remote Desktop Protocol (RDP) on compromised hosts, access account identifiers associated with Tencent QQ, clear Windows event logs, and erase data from 360 Secure Browser, QQ Browser, and Sogou Explorer.

Targeting Chinese-Speaking Users

Language-Specific Lures

According to cybersecurity firm eSentire, which discovered the latest activity, the targeting of Chinese-speaking users is evidenced by the use of Chinese-language web lures and applications. These are specifically crafted for data theft and defense evasion by the malware.

Similarities with Previous Variants

eSentire observed that the artifact has similarities with a Gh0st RAT variant known as HiddenGh0st, tracked by the AhnLab Security Intelligence Center (ASEC). This indicates that various threat actors continue to use and adapt this malware. The ongoing adaptation and deployment of Gh0st RAT underscore its persistent threat and the evolving strategies employed by cybercriminals to exploit vulnerabilities and maintain their presence in targeted systems.

Broader Cybersecurity Implications

Drive-By Downloads

Recent findings reveal that Gh0st RAT is being distributed through drive-by downloads, tricking users into downloading a malicious Chrome installer from a deceptive website. This method’s persistent success emphasizes the critical need for continuous security training and awareness programs. Ensuring users are educated about such threats and how to avoid them is essential in mitigating these sophisticated attack vectors. Ongoing vigilance and proactive measures are vital to countering these deceptive tactics and safeguarding systems against such malware.

Phishing Campaigns Leveraging AI

In parallel, Broadcom-owned Symantec has observed an increase in phishing campaigns likely leveraging Large Language Models (LLMs) to generate malicious PowerShell and HTML code. These campaigns are used to download several loaders and stealers, such as Rhadamanthys, NetSupport RAT, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm). The use of LLMs in generating malicious scripts indicates a growing sophistication in phishing tactics.

Remediation Steps

1. Update Security Software: Ensure all security software, including antivirus and anti-malware tools, are up to date.
2. Conduct Regular Scans: Perform regular scans for malware and suspicious activity.
3. Patch Systems: Apply the latest patches and updates to operating systems and applications.
4. Restrict Admin Access: Limit administrative privileges to reduce the risk of unauthorized access.
5. Educate Users: Conduct ongoing security training to help users recognize and avoid phishing attempts and malicious downloads.
6. Monitor Network Traffic: Implement network monitoring to detect and respond to unusual traffic patterns.
7. Implement Web Filtering: Use web filtering to block access to known malicious websites.
8. Backup Data: Regularly back up critical data and verify the integrity of backups.