A type of malware called Gh0st RAT has been discovered being distributed through a “dropper” named Gh0stGambit as part of a drive-by download scheme targeting Chinese Windows users. The dropper disguises itself as a Chrome browser installer from a fake website (“chrome-web[.]com”). This indicates that people searching for the software online are being specifically targeted.
Gh0st RAT, which has been around since 2008, is known for its various versions and is primarily used by Chinese cyberespionage groups in their campaigns. Some variants have also been used to install Hidden rootkit by exploiting weakly secured MS SQL servers.
The dropper, Gh0stGambit, checks for security software before contacting a command-and-control server to download Gh0st RAT. The trojan has features such as terminating processes, file removal, taking screenshots and capturing audio, remote command execution, keylogging, data exfiltration, hiding files and directories, and more. It can also drop Mimikatz, enable RDP on compromised hosts, access Tencent QQ account identifiers, clear event logs, and erase data from certain browsers.
eSentire, a cybersecurity firm, has identified similarities between this variant and one tracked as HiddenGh0st by the AhnLab Security Intelligence Center (ASEC). Gh0st RAT has been used extensively by both APT and criminal groups over the years. The latest finding highlights its distribution through drive-by downloads, tricking users into downloading a malicious Chrome installer from a fraudulent website.
Symantec, now owned by Broadcom, reported an increase in phishing campaigns using Large Language Models (LLMs) to generate malicious PowerShell and HTML code used to download various loaders and stealers like Rhadamanthys, NetSupport RAT, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm).
Source: https://thehackernews.com/2024/07/gh0st-rat-trojan-targets-chinese.html?m=1