Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

July 31, 2024, 10:59 a.m.

Description

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of deceptive Chrome installer lures, the dropper's evasive techniques, and the capabilities of the delivered Gh0st RAT variant. The malware exhibits advanced functionality, such as rootkit components, keylogging, process termination, and data exfiltration. The investigation concludes that the campaign primarily targets Chinese-speaking users, based on the use of Chinese web lures and the malware's ability to gather information from Chinese applications.

Date

Published: July 31, 2024, 10:43 a.m.

Created: July 31, 2024, 10:43 a.m.

Modified: July 31, 2024, 10:59 a.m.

Indicators

107.148.73.225

http://pplilv.bond/d4/107.148.73.225/code32

http://pplilv.bond/d4/107.148.73.225/reg32

hacker.heikeniubi.buzz

pplilv.bond

chrome-web.com

Attack Patterns

Moudoor

Mydoor

gh0st RAT - S0032

T1024

T1039

T1137

T1548

T1497

T1113

T1005

T1021

T1598

T1529

T1489

T1547

T1055

T1134

T1036

T1140

T1560

T1112

T1056

T1059

CVE-2024-5806