Request a Demo
Rewterz
Multiple GitLab Products Vulnerabilities
July 29, 2024
Rewterz
Agent Tesla Malware – Active IOCs
July 30, 2024

Chinese Windows Users Targeted by Gh0st RAT Trojan via Fake Chrome Website – Active IOCs

Severity

High

Analysis Summary

An elusive dropper known as Gh0stGambit has been seen distributing the remote access trojan known as Gh0st RAT as part of a drive-by download campaign intended for Windows users who speak Chinese.

The source of these infections is a phony website that distributes malicious installer packages purporting to be Google's Chrome browser. This suggests that individuals who look up the software online are being targeted. As early as 2008, Gh0st RAT has been known to exist in the wild. It has evolved to take on various forms, mostly in the shape of campaigns carried out by cyber-espionage groups with ties to China.

In the past, some trojan versions have also been used to install the Hidden open-source rootkit by breaking into MS SQL server instances that are not properly guarded. The use of Chinese-language web lures and Chinese applications targeted for data theft and defense evasion by the malware is the basis for the targeting of Chinese-speaking individuals, according to the cybersecurity firm that uncovered the most recent activities.

The malware installer ("WindowsProgram.msi") included in the MSI installer that was downloaded from the fake website is in addition to a legal Chrome setup program. It is the malicious installer that initiates the shellcode that loads Gh0stGambit. In response, the dropper looks for security software (such as Microsoft Defender Antivirus and 360 Safe Guard) before connecting to a command-and-control (C2) server to obtain Gh0st RAT.

The C++ program Gh0st RAT is packed with functionality, such as the ability to end processes, delete files, record audio and take screenshots, execute commands remotely, keylog, exfiltrate data, conceal files, directories, and the registry using rootkit capabilities, among many other things. It can also remove Mimikatz, allow Remote Desktop Protocol on the infected computers, retrieve Tencent QQ account identifiers, delete data from 360 Secure Browser, QQ Browser, and Sogou Explorer, and clear Windows event logs.

Over the past few years, APT and criminal organizations have modified and used Gh0st RAT extensively. The latest research shows that drive-by downloads are how this threat spreads, tricking people into downloading a malicious Chrome installation from a phony website. Drive-by downloads' increasing popularity serves as further evidence of the necessity of continual security awareness and training campaigns.

Impact

  • Unauthorized Remote Access
  • Cyber Espionage
  • Data Theft & Exfiltration
  • Command Execution

Indicators of Compromise

IP

  • 104.143.46.143

MD5

  • 4bf494f15fcc172b98abeb5a02ecffed
  • 778d517a9de9b93f02e92602f1cfcd6c
  • d96a742899aeab9eaba691861908e316
  • 82408e48f97f6c41b825b97a2e026831

SHA-256

  • 019f3f8c33408fcc884f9789ae6db493dc4b8757e12c02d753d3c58b52a2726c
  • cad9fcfa069fc7de9f5d2b7c66bd5c4ca714777bf5db253418a664e7723026d1
  • 1d8b0d810d826574637041cc56c5532139eccff5064195bfea0d65ac0c3624d3
  • 70722a2c937507cb211607b2a4de8109482154c66121ac6def99d0b4e1934076

SHA-1

  • e158eb541843a67b11c39e93b2bfd8c1e67e9dce
  • 9e373cbc1e1cf5e1553896485d7c5701a8e89804
  • 777f988457a9265431e8119bd2d579f264f565f5
  • f068f53692fcb4ec00d360da733c7a42855521a1

URL

  • http://mm6695.icu/c1/8.210.131.111_13001/reg32
  • http://mm6695.icu/d1/206.119.80.10/code32

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
  • Patch and upgrade any platforms and software timely and make it into a standard security policy.
  • Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
  • Implement network segmentation to limit lateral movement for attackers within the network.
  • Implement advanced email filtering to detect and block phishing emails.
  • Employ updated and robust endpoint protection solutions to detect and block malware.
  • Develop and test an incident response plan to ensure a swift and effective response to security incidents.
  • Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
  • Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
  • Regularly back up critical data and ensure that backup and recovery procedures are in place.