The remote access trojan known as Gh0st RAT has been observed being delivered by an “evasive dropper” called Gh0stGambit as part of a drive-by download scheme targeting Chinese-speaking Windows users.
These infections stem from a fake website (“chrome-web[.]com”) serving malicious installer packages masquerading as Google’s Chrome browser, indicating that users searching for the software on the web are being singled out.
Gh0st RAT is a long-standing malware that has been observed in the wild since 2008, manifesting in the form of different variants over the years in campaigns primarily orchestrated by China-nexus cyberespionage groups.
Some iterations of the trojan have also been previously deployed by infiltrating poorly-secured MS SQL server instances, using it as a conduit to install the Hidden open-source rootkit.
According to cybersecurity firm eSentire, which discovered the latest activity, the targeting of Chinese-speaking users is based on “the use of Chinese-language web lures and Chinese applications targeted for data theft and defense evasion by the malware.”
The MSI installer downloaded from the phony website contains two files, a legitimate Chrome setup executable and a malicious installer (“WindowsProgram.msi”), the latter of which is used to launch shellcode that’s responsible for loading Gh0stGambit.
The dropper, in turn, checks for the presence of security software (e.g., 360 Safe Guard and Microsoft Defender Antivirus) before establishing contact with a command-and-control (C2) server in order to retrieve Gh0st RAT.
“Gh0st RAT is written in C++ and has many features, including terminating processes, removing files, capturing audio and screenshots, remote command execution, keylogging, data exfiltration, hiding registry, files, and directories via the rootkit capabilities, and many more,” eSentire said.
It’s also capable of dropping Mimikatz, enabling RDP on the compromised hosts, accessing account identifiers associated with Tencent QQ, clearing Windows event logs, and erasing data from 360 Secure Browser, QQ Browser, and Sogou Explorer.
The Canadian company said the artifact shares overlaps with a Gh0st RAT variant tracked by the AhnLab Security Intelligence Center (ASEC) under the moniker HiddenGh0st.
“Gh0st RAT has seen widespread use and modification by APT and criminal groups over the past several years,” eSentire said. “The recent findings highlight the distribution of this threat via drive-by downloads, deceiving users into downloading a malicious Chrome installer from a deceptive website.”
“The continued success of drive-by downloads reinforces the need for ongoing security training and awareness programs.”
The development comes as Broadcom-owned Symantec said it observed an increase in phishing campaigns likely leveraging Large Language Models (LLMs) to generate malicious PowerShell and HTML code used to download several loaders and stealers.
The emails contained “code used to download various payloads, including Rhadamanthys, NetSupport RAT, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm),” security researchers Nguyen Hoang Giang and Yi Helen Zhang said. “Analysis of the scripts used to deliver malware in these attacks suggests they were generated using LLMs.”
