Gh0strat – A New Trojan Campaign by Higaisa
Prevailion’s Tailored Intelligence Team has detected a new campaign they named “The Gh0st Remains the Same.” They believe this campaign began between May 11th and 12th of this year. The main crux of the campaign is a compressed RAR folder that contains trojanized files for the victim to interact with.
When opened, the files display decoy web pages associated with the software company “Zeplin,” a company that has developed a platform to create a “connected space for product teams,” and they claim to have over three million customers, some of which include: Starbucks, Airbnb, Slack, Dropbox, Pinterest, Shopify, Feedly, and MailChimp.
Prevailion believes that the attackers chose to simulate collaboration-based software with a sizable user base in order to more easily phish potential victims that may be working from home during the COVID pandemic.
This campaign is considered to be ‘user-initiated’, with the main lure being a folder called “Project link and New copyright policy.rar.” Once decompressed, the folder contains two Microsoft shortcut files and a PDF, with all three referencing the Zeplin platform. If the victim clicks on the shortcut file, it begins a multistep infection chain that ultimately deploys a Ghost rat agent. For a more detailed analysis of the infection vector as well as details regarding the malware PDF and two Microsoft shortcut files, please reference the file at the end of this article, “Gh0strat Analysis.”
The RAT can persist on an infected machine by employing a scheduled task, while hiding itself as a legitimate binary in the Windows startup folder. During the initial infection process, target machine communicates with three different remote command and control nodes. There is almost some evidence to point to the agent being able to communicate over DNS as well as HTTP protocols.
The Gh0ast RAT is a Trojan horse Windows and is a cyber spying computer program. For those systems infected with Gh0st RAT, the threat actor can gain complete, real-time control. Such a computer can be controlled or inspected by hackers, and the software is able to turn on the camera and audio-recording functions of an infected computer.
The initial sample analyzed by Prevailion was previously uploaded to VirusTotal on May 12th, likely indicating the initial launch of the campaign. Prevailion also observed a subsequent campaign utilizing the same infection process that began on May 30th.
The main difference between this campaign and the first was in its use of a trojanized CV impersonating a college student named “Wang Lei” from Hong Kong, and the use of a hard-coded IP address instead of a threat actor domain.
Through analyzing the timestamps, Prevailion was able to determine they align with the GMT+8 time zone. Also, they noticed several correlations between this campaign and a “Coronavirus (COVID-19) Situational Report” campaign that occurred earlier this year that was associated with the group Higaisa. Prevailion is moderately confident that Higaisa is also behind this current campaign; it’s also important to note that Higaisa is likely sponsored by North Korean government.
Being that this new Gh0st RAT campaign is user-initiated, all users should exercise great caution when receiving emails from an unknown source. It is also advisable that users not execute any Microsoft shortcut links, especially from untrusted sources. All antivirus services should be enabled and updated, as this threat actor relies upon commercially available toolkits. Where viable, administrators should increase monitoring network logs for remote connections to VPS providers.
Sources: