What is Gh0st RAT?

Gh0st RAT is a notorious Remote Access Trojan (RAT) developed by Chinese hackers. This stealthy and powerful piece of malware is designed to remotely control infected computers. It allows unauthorized access, data theft, and surveillance, enabling attackers to remain undetected while manipulating the infected systems. The gh0st RAT has been associated with various cyber espionage campaigns and poses significant security risks to individuals and organizations alike.

New Gh0st RAT Variant Observed by Sangfor FarSight Labs

Sangfor FarSight Labs recently observed a new variant of Gh0st RAT involved in a malicious campaign linked to a known cybercrime group.

The attack uses a trojanized executable of TrueUpdate, a software update tool developed by Indigo Rose. Once executed, it loads and decrypts the malicious components in stages, eventually deploying Gh0st RAT.

Through threat intelligence correlation, we suspect that the TrueUpdate file originated from a fake Telegram installation file (telrvp-4.7.exe), downloaded from a spoofed Chinese Telegram website. This website also offers downloads of Telegram for Android and iPhone and has been flagged as dangerous.

Gh0st RAT Spreads Using Fake Telegram Download Page - 1

The original name of telrvp-4.7.exe is suf_launch.exe, and it contains all the malicious files used in this attack.

Gh0st RAT Spreads Using Fake Telegram Download Page 2

Technical Analysis of the Gh0st RAT Campaign

A summary of the malicious files used in the attack is as follows:

File Name Description
iusb3mon.exe A trojanized version of TrueUpdate in disguise.
iusb3mon.dat An encrypted compressed package containing malicious code.
Media.xml The persistence module of the attack; a DLL file in disguise.
ziliao.jpg The backdoor module of the attack; a DLL file in disguise.

The trojanized TrueUpdate executable masquerades as iusb3mon.exe, a legitimate file associated with Intel USB 3.0 Monitor. When executed, it uses an internal password to decrypt iusb3mon.dat, a compressed package located in the same folder. It then executes a custom upgrade script named _TUProj.dat found within the decrypted package. The trojan uses this script execution mechanism to implant malicious code within _TUProj.dat.

Once decrypted and loaded into memory, the _TUProj.dat script creates a new thread to execute the shellcode stored in g_table_char, as shown in the figure below.

Gh0st RAT Spreads Using Fake Telegram Download Page 3

The shellcode has two objectives: Firstly, it loads and repairs a DLL file disguised as Media.xml, which serves as the persistence module of the attack. Secondly, it jumps to the repaired DllMain function to start execution.

The shellcode uses a two-fold approach to evade detection. It begins by traversing the _LDR_DATA_TABLE_ENTRY structure to gain insights into loaded modules (DLLs). Subsequently, it manually traverses the export table of DLLs, enabling it to retrieve the precise addresses of the required functions.

Gh0st RAT Spreads Using Fake Telegram Download Page 4

The repaired DLL serves as the core persistence module of the attack. It is responsible for executing component integrity checks, environment checks, persistence service installation, and backdoor activation. Specifically, to obfuscate its behavior from security analysts and evade antivirus detection, this component checks whether the system is running in a virtual machine (VM) environment and whether antivirus software is present on the system. Based on the results of these checks, it decides whether to proceed with further actions.

It also checks the Vendor ID of the machine's graphics card. A VM environment is identified if the graphics card vendor is not Nvidia, AMD, or Intel, as shown in the figure below.

Gh0st RAT Spreads Using Fake Telegram Download Page 5

The attack continues by checking for the presence of antivirus software by scanning processes and registry keys, as shown in the figure below.

Gh0st RAT Spreads Using Fake Telegram Download Page 5

To achieve persistence, the malware registers itself as a service using the CLSID_TaskScheduler COM object, as shown in the figure below.

Gh0st RAT Spreads Using Fake Telegram Download Page 6

After performing the necessary checks, the sample proceeds to execute the backdoor module ziliao.jpg. It reads and decrypts this file, also a DLL in disguise, starting execution from the ShellEx exported function. The backdoor module is protected with a simple XOR encryption, using a hardcoded key (0x94) within the program.

Gh0st RAT Spreads Using Fake Telegram Download Page 8

The main functions of the backdoor module include connecting to the Command and Control (C2) server, downloading files, keylogging, and executing commands.

To evade detection, the backdoor module hides its components and checks for the presence of antivirus software.

Firstly, it uses the SetFileAttributesA function to set the attributes of malicious files and directories as hidden and system files.

Gh0st RAT Spreads Using Fake Telegram Download Page 9

Secondly, it uses the EnumWindow and GetWindowTextA functions to enumerate and compare window names to determine the risk of detection. If there is a risk, it immediately terminates the operation.

Gh0st RAT Spreads Using Fake Telegram Download Page 10

To prevent the IP address of the C2 server from being blocked, the backdoor module retrieves new C2 addresses from an ip.txt file.

Gh0st RAT Spreads Using Fake Telegram Download Page 11

The backdoor achieves persistence by setting registry startup items and registering itself as a service.

Gh0st RAT Spreads Using Fake Telegram Download Page 12

Gh0st RAT Spreads Using Fake Telegram Download Page 13

It also monitors keyboard input and the current foreground window and saves this information in the %APPDATA%Default.dat file.

Gh0st RAT Spreads Using Fake Telegram Download Page 14

FTP is used to download additional files.

Gh0st RAT Spreads Using Fake Telegram Download Page 15

Possible Consequences of a Gh0st RAT Compromise

The observed Gh0st RAT variant, injected into a legitimate program and distributed through a fake Telegram website, poses severe risks to affected systems and organizations. Once successfully deployed, this malware can establish persistent access to compromised systems, allowing the threat actors to steal sensitive data, conduct espionage, or perform other malicious activities. The backdoor module's keylogging capabilities pose a serious threat to data confidentiality and could lead to the compromise of sensitive credentials and personal information.

Moreover, the malware's ability to evade antivirus detection and its advanced anti-analysis techniques make it difficult for security analysts to detect and mitigate the attack promptly. The backdoor's constant retrieval of new C2 server IP addresses further complicates efforts to track and shut down the malicious infrastructure. Organizations that fall victim to this cyber-attack could face sensitive data leakage, long-term surveillance, disruptions in their operations, and financial losses.

Gh0st RAT Indicators of Compromise (IOCs)

Malicious Files

File MD5
chuangkou.log 421285ba7f383ef48e80a3cd3635ca12
suf_launch.exe 38576b6fb5f27f812562b779f24b1001
iusb3mon.dat 4ae5e8bdd68861df10f01fe268859588
Media.xml 3c44ffeb6626913540ce8527fdd3bee1

 

Malicious Domain/IP Address

Coewnkd[.]top

27.124.40[.]78

Solutions

Preventive Measures

  1. Identify abnormalities with the iusb3mon.exe file, as outlined in this article.
  2. Avoid opening emails, links, and attachments from unknown sources. If you must open a file from an unknown sender, use antivirus software to scan it first.
  3. Regularly perform a full system scan using antivirus software.
  4. Avoid downloading software from unofficial websites. Carefully assess the authenticity and legitimacy of websites before proceeding.

Sangfor Solutions

Sangfor Endpoint Secure (Endpoint Security)

Sangfor Endpoint Secure detects and mitigates the malicious files involved in this Gh0st RAT campaign. Please update the software and virus database to the latest version. For customized versions, please consult customer support before updating. Integration with Sangfor Neural-X further enables Endpoint Secure to detect and respond to new and emerging threats.

Gh0st RAT Spreads Using Fake Telegram Download Page 16

Sangfor NGAF (Next-Generation Firewall)

Update the security protection rules of Sangfor NGAF to the latest version and integrate with the Sangfor Neural-X to receive real-time security intelligence, including the latest vulnerabilities, popular viruses, and emerging threats.

Sangfor Cyber Command (Network Detection & Response)

Update the rule base of Sangfor Cyber Command in a timely manner. Also, integrate with Sangfor NGAF and Sangfor Endpoint Secure to enhance threat detection and enable automated response to high-risk threats.

Sangfor Cyber Guardian (Managed Detection & Response Service)

Sangfor Cyber Guardian MDR service offers 24/7 security monitoring to guarantee the utmost protection for your networks. Our state-of-the-art XDDR platform, coupled with the expertise of our security service professionals, provides a seamless "Human-Machine Collaboration" service model that encompasses continuous monitoring of assets, vulnerabilities, threats, and incidents.

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

What is Brain Cipher? The Ransomware that Took Down the Indonesian National Data Center

Date : 01 Jul 2024
Read Now

XZ Utils Supply Chain Compromise

Date : 15 Apr 2024
Read Now

New TellYouThePass Ransomware Variant Discovered In The Wild

Date : 25 Mar 2024
Read Now

See Other Product

Platform-X
Sangfor Access Secure
Sangfor SSL VPN
Best Darktrace Cyber Security Competitors and Alternatives in 2024
Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure