Attackers are using Gh0stGambit to spread Gh0st RAT malware to Chinese users via a fake Google Chrome download page, mimicking the legitimate site.
GH0ST RAT Trojan Targets Chinese Windows Users
In early June, researchers found a malicious campaign targeting Chinese users. Gh0st RAT is spread via Gh0stGambit through a phishing site, chrome-web[.]com. The fake Chrome installer site uses a drive-by download method, delivering both a legitimate Chrome executable and a malicious installer, WindowsProgram.msi, which installs Gh0stGambit.
Gh0st RAT, a long-standing malware from APT27, has been publicly available since 2008. Its command infrastructure was based in China. Written in C++, it has evolved over the years and was used by China-linked cyber espionage groups, including a modified variant in 2018 campaigns.
Gh0stGambit launches a multi-stage attack. It first checks for anti-malware software like Microsoft Defender or 360 SafeGuard and adds its folder to their exclusions. It then connects to a command and control server at hxxp://pplilv.bond/d4/107.148.73[.]225/reg32 to download Gh0st RAT.
The RAT, delivered encrypted as a Registry Workshop, provides remote access, collects information, and includes a rootkit to hide system elements. It can also drop Mimikatz, enable RDP, access Tencent QQ account details, clear Windows logs, and erase data from various browsers.
It’s unusual for malware of this kind to target users in mainland China, as attackers typically avoid domestic targets due to legal risks. However, APT27 has a history of spying on Chinese citizens, both on the mainland and in Taiwan.
Multi-stage, component-based attacks require advanced security software. It should offer robust real-time and database protection, along with network defense capabilities to filter out phishing sites like the one used in this campaign.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment