A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets

  /     /     /  
Publicated : 23/11/2024   Category : security


A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets


A decade and a half after Gh0st RAT first appeared, the SugarGh0st RAT variant aims to make life sweeter for cybercriminals.



A new variant of the infamous Gh0st RAT malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan.
The Chinese group C.Rufus Security Team
first released Gh0st RAT on the open Web
in March 2008. Remarkably, its still in use today, particularly in and around China, albeit
in modified forms
.
Since late August, for instance, a group with strong Chinese links has been distributing a modified Gh0st RAT deemed SugarGh0st RAT.
According to research from Cisco Talos
, this threat actor drops the variant via JavaScript-laced Windows shortcuts, while distracting targets with customized decoy documents.
The malware itself is still largely the same, effective tool its ever been, though it now sports some new decals to help sneak past antivirus software.
The four samples of SugarGh0st, likely delivered via phishing, arrive on targeted machines as archives embedded with Windows LNK shortcut files. The LNKs hide malicious JavaScript which, upon opening, drops a decoy document — targeted for Korean or Uzbek government audiences — and the payload.
Like its progenitor — the Chinese origin remote access Trojan, first released to the public in March 2008 — SugarGh0st is a clean, multitooled espionage machine. A 32-bit dynamic link library (DLL) written in C++, it begins by collecting system data, then opens up the door to full remote access capabilities.
Attackers can use SugarGh0st to retrieve any information they might desire about their compromised machine, or start, terminate, or delete the processes its running. They can use it to find, exfiltrate, and delete files, and erase any event logs to mask the resulting forensic evidence. The backdoor comes fitted with a keylogger, a screenshotter, a means of accessing the devices camera, and plenty of other useful functions for manipulating the mouse, performing native Windows operation, or simply running arbitrary commands.
The thing thats most concerning to me is how its specifically designed to evade previous detection methods, says Nick Biasini, Cisco Talos head of outreach. With this new variant, specifically, they took effort to do things that would change the way that core detection would work.
It isnt that SugarGh0st has any particularly novel evasion mechanisms. Rather, minor aesthetic changes make it appear different from prior variants, such as changing the command-and-control (C2) communication protocol such that instead of 5 bytes, the network packet headers reserve the first 8 bytes as magic bytes (a list of file signatures, used to confirm a files contents). Its just a very effective way to try and make sure that your existing security tooling isnt going to pick up on this right away, Biasini says.
Back in September 2008, the office of the Dalai Lama approached a security researcher (no, this isnt the beginning of a bad joke).
Its employees were being peppered with phishing emails. Microsoft applications were crashing, without explanation, across the organization. One monk
recalled
watching his computer open Microsoft Outlook all on its own, attach documents to an email, and send that email to an unrecognized address, all without his input.
The Trojan used in that Chinese military-linked campaign against Tibetan monks has stood the test of time, Biasini says, for a few reasons.
Open source malware families live long because actors get a fully functional piece of malware that they can manipulate as they see fit. It also allows people who dont know how to write malware to
leverage this stuff for free
, he explains.
Gh0st RAT, he adds, stands out in particular as a very functional, very well-built RAT.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets