Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT
July 31, 2024, 10:59 a.m.
Tags
External References
Description
This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of deceptive Chrome installer lures, the dropper's evasive techniques, and the capabilities of the delivered Gh0st RAT variant. The malware exhibits advanced functionality, such as rootkit components, keylogging, process termination, and data exfiltration. The investigation concludes that the campaign primarily targets Chinese-speaking users, based on the use of Chinese web lures and the malware's ability to gather information from Chinese applications.
Date
Published: July 31, 2024, 10:43 a.m.
Created: July 31, 2024, 10:43 a.m.
Modified: July 31, 2024, 10:59 a.m.
Indicators
107.148.73.225
http://pplilv.bond/d4/107.148.73.225/code32
http://pplilv.bond/d4/107.148.73.225/reg32
hacker.heikeniubi.buzz
pplilv.bond
chrome-web.com
Attack Patterns
Moudoor
Mydoor
gh0st RAT - S0032
T1024
T1039
T1137
T1548
T1497
T1113
T1005
T1021
T1598
T1529
T1489
T1547
T1055
T1134
T1036
T1140
T1560
T1112
T1056
T1059
CVE-2024-5806