Cyber security researchers have identified a new malware called A FUNNY GHOST which comes with a wide range of information gathering features such as keyboard, screen capture, audio capture, remote shell and file transfer/execution.
Backdoor, according to Google’s managed protection team, shares features with a well-known remote administration tool called Gh0st RATwhose source code was published in 2008.
PLAYFULGHOST’s initial access routes include using behavior-related phishing emails or search engine optimization (SEO) poisoning techniques to distribute trojanized versions of legitimate VPN programs such as LetsVPN.
“In one phishing case, the infection begins by tricking the victim into opening a malicious RAR archive disguised as an image file using the .jpg extension,” the company said in a statement. said. “When unzipped and executed by the victim, the archive drops a malicious Windows executable that eventually downloads and runs PLAYFULGHOST from a remote server.”
On the other hand, attack chains using SEO poisoning aim to trick unsuspecting users into downloading the LetsVPN malware installer, which when run removes the intermediate payload responsible for obtaining the backdoor components.
The infection is characterized by using techniques such as DLL search order hijacking and sideloading to launch a malicious DLL, which is then used to decrypt and load PLAYFULGHOST into memory.
Mandiant said it has also observed a “more complex execution scenario” in which a Windows shortcut file (“QQLaunch.lnk”) combines the contents of two other files named “h” and “t” to create a fake DLL and load it from using a renamed version of “curl.exe.”
PLAYFULGHOST is able to configure persistence on the host using four different methods: a startup registry key, a scheduled task, a Windows startup folder, and a Windows service. It boasts an extensive set of features that allow it to collect extensive data, including keystrokes, screenshots, audio, QQ account information, installed security products, clipboard contents, and system metadata.
It also comes with options to dump more payloads, block mouse and keyboard input, clear Windows event logs, clear clipboard data, perform file operations, delete caches and profiles associated with web browsers such as Sogou, QQ, 360 Safety, Firefox and Google Chrome, and wipe profiles and local storage for messaging apps like Skype, Telegram and QQ.
Some of the other tools deployed through PLAYFULGHOST are Mimikatz and a rootkit capable of hiding the registry, files and processes specified by the threat actors. Also included with the PLAYFULGHOST component download is an open source utility called Terminator which can kill security processes with Bring Your Own Vulnerable Driver (BEOD) attack.
“One day Mandiant noticed that the PLAYFULGHOST payload was embedded in BOOSTWAVE,” the tech giant said. “BOOSTWAVE is a shellcode that acts as an in-memory dropper for the attached Portable Executable (PE) payload.”
Targeting apps like Sogou, QQ, and 360 Safety, as well as using LetsVPN lures, makes it more likely that these infections are targeting Chinese-speaking Windows users. In July 2024 Canadian cybersecurity vendor eSentire revealed a similar company that used fake installers for Google Chrome to distribute the Gh0st RAT using a dropper called Gh0stGambit.
