Attackers are using a new loader, Gh0stGambit, to spread Gh0st RAT malware to Chinese users. A Google Chrome phishing download site is being used for that purpose, copying the design of the genuine page. That is, in fact, the part of the campaign that attracted the attention of cybersecurity experts.
Gh0st RAT Trojan Targets Chinese Windows Users
In early June, cybersecurity researchers discovered a malicious campaign targeting users from China. Threat actors are spreading Gh0st RAT using the malware dropper Gh0stGambit, which finds its way to user devices through a phishing site chrome-web[.]com. The attackers employed a drive-by download. They offered users a Google Chrome installer file on a page that appeared to be a legitimate Chrome downloading site. However, the MSI installer downloaded from the fake site contains two files: the legitimate Chrome installation executable and the malicious installer WindowsProgram.msi, which is used to execute shell code responsible for downloading Gh0stGambit.
Gh0st RAT is a long-standing piece of malware from the arsenal of APT27, with its source code made publicly available in 2008. According to sources, its command infrastructure was primarily based in the People’s Republic of China. Written in C++, it has appeared in various forms over the years, primarily in campaigns organized by China-linked cyber espionage groups. Researchers report that a modified variant of Gh0st RAT was used in campaigns by the hacker group in 2018.
Some Details
The exact attack happens in a multi-staged manner. Before carrying out its primary task, Gh0stGambit checks the system for anti-malware software, such as Microsoft Defender or 360 SafeGuard. If it detects these programs, it adds its folder to their exclusions. Then it connects to a command and control server at hxxp://pplilv.bond/d4/107.148.73[.]225/reg32 and initiates the download of Gh0st RAT.
Gh0st RAT is delivered in encrypted form disguised as a Registry Workshop. In addition to providing remote access, it can collect information (keylogging, screen capturing, etc.). Moreover, it contains an embedded rootkit that allows it to hide certain system elements, such as the registry or directories.
It can also can drop Mimikatz in the system folder, enable RDP on compromised hosts, gain access to account identifiers associated with Tencent QQ, clear Windows event logs, and erase data from 360 Secure Browser, QQ Browser, and Sogou Explorer.
It is rather unusual to see malware with allegedly Chinese origin to attack users from mainland China. Typically threat actors keep away from attacking anything or anyone within their country, as it makes the distance to law enforcement too short. Thing is – it is not just regular malware, but a toolkit for spying on citizens. And earlier, APT27 was seen doing exactly this to Chinese citizens, both on the mainland and on Taiwan.
How to protect your system?
Such staged, multi-component attacks require advanced security software to protect against. Aside from excellent real-time and database-backed protection, it should also feature a network protection system that may filter out phishing sites like the one used in this campaign. All this is available in GridinSoft Anti-Malware – check it out through the banner below.