The remote access trojan, known as Gh0st RAT, was spotted as part of an “evasion dropper” called Gh0stGambit. scheme of loading on the auto insurance targeting Chinese-speaking Windows users.
These infections originate from a spoofed website (“chrome-web(.)com”) that serves malicious installer packages under the guise of the Google Chrome browser, indicating that users searching for software on the Internet are being targeted.
Gh0st RAT is a old malware which has been seen in the wild since 2008, manifesting itself in various variants over the years in campaigns mostly orchestrated by China’s cyber espionage groups.
There were also some iterations of the Trojan previously deployed by infiltrating poorly secured instances of MS SQL Server, using it as a conduit to install a hidden open source rootkit.
According to cybersecurity firm eSentire, which revealed the latest activity, targeting Chinese-speaking users, is based on “the use of Chinese-language web lures and Chinese applications designed to steal data and evade malware protection.”
The MSI installer downloaded from the fake website contains two files: a legitimate Chrome setup executable and a malicious installer (“WindowsProgram.msi”), the latter of which is used to run the shellcode responsible for loading Gh0stGambit.
The dropper, in turn, checks for security software (such as 360 Safe Guard and Microsoft Defender Antivirus) before contacting the command-and-control (C2) server to retrieve the Gh0st RAT.
“Gh0st RAT is written in C++ and has many features, including process termination, file deletion, audio and screenshot capture, remote command execution, keylogging, data theft, registry, file and directory hiding through rootkit capabilities and more,” eSentire said .
It is also capable of removing Mimikatz, enabling RDP on compromised hosts, accessing account IDs associated with Tencent QQ, clearing Windows event logs, and erasing data from 360 Secure Browser, QQ Browser, and Sogou Explorer.
The Canadian company said the artifact matches a variant of the Gh0st RAT tracked by the AhnLab Security Intelligence Center (ASEC) under the alias HiddenGh0st.
“Over the past few years, the Gh0st RAT has been widely used and modified by APTs and criminal groups,” eSentire said. “Recent findings highlight the distribution of this threat through downloads, tricking users into downloading a malicious Chrome installer from a fraudulent website.”
“The continued success of auto-pumps reinforces the need for ongoing safety education and awareness programs.”
Broadcom-owned Symantec has reported an increase in phishing campaigns that are likely using large language models (LLM) to create malicious PowerShell and HTML code used to download multiple bootloaders and steals.
The emails contained “code used to download various payloads, including Rhadomantis, NetSupport RAT, CleanUpLoader (broom, oyster), ModiLoader (DBatLoader), LokiBotand Come here (H-Worm),” security researchers Nguyen Haang Giang and Yi Helen Zhang said. “Analysis of the scripts used to deliver the malware in these attacks shows that they were created using LLM.”
