On the other hand, attack chains that use SEO poisoning aim to trick unwary customers into downloading a LetsVPN installation that is infected with malware. When the installer is started, it releases an intermediate payload that retrieves the backdoor components. The infection is noteworthy for using techniques like side-loading and DLL search order hijacking to start a malicious DLL, which is subsequently used to load PLAYFULGHOST into memory and decrypt it. According to Mandiant, it also noticed a more complex execution scenario in which the contents of two additional files, "h" and "t," are combined in a Windows shortcut ("QQLaunch.lnk") to create the malicious DLL, which is then side-loaded using a modified version of "curl.exe."

Running the registry key, scheduled job, Windows Startup folder, and Windows service are the four ways that PLAYFULGHOST can establish persistence on the host. Keystrokes, screenshots, audio, QQ account information, installed security products, clipboard content, and system metadata are just a few of the many features that enable it to collect a vast amount of data. Additionally, it can carry out file operations, delete profiles and caches linked to web browsers like Sogou, QQ, 360 Safety, Firefox, and Google Chrome, block mouse and keyboard input, clear Windows event logs, wipe clipboard data, drop additional payloads, and remove profiles and local storage for messaging apps like Skype, Telegram, and QQ.

Other tools used by PLAYFULGHOST include Mimikatz and a rootkit that may conceal files, processes, and registry entries that the threat actor specifies. An open-source program named Terminator, which can terminate security processes via a Bring Your Own Vulnerable Driver (BYOVD) attack, is also included with the PLAYFULGHOST component download.

Mandiant once noticed that BOOSTWAVE was embedding a PLAYFULGHOST payload. A shellcode called BOOSTWAVE serves as an in-memory dropper for a Portable Executable (PE) payload that is attached. The likelihood that these infections are aimed at Chinese-speaking Windows users is increased by the targeting of apps like Sogou, QQ, and 360 Safety as well as the usage of LetsVPN lures. In July 2024, researchers disclosed a similar campaign that used a dropper called Gh0stGambit to spread Gh0st RAT by employing phony Google Chrome installations.

Impact

• Information Theft
• Keylogging
• Code Execution

Remediation

• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.