1. Home
  2. Software
  3. gh0st RAT

gh0st RAT

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[1][2][3]

ID: S0032
Associated Software: Mydoor, Moudoor
Type: MALWARE
Platforms: Windows, macOS
Version: 3.3
Created: 31 May 2017
Last Modified: 07 May 2024

Associated Software Descriptions

Name Description
Mydoor

[4]
Moudoor

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 修改注册表

gh0st RAT has altered the InstallTime subkey.[5]
Enterprise T1129 共享模块

gh0st RAT can load DLLs into memory.[5]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

gh0st RAT can create a new service to establish persistence.[3][5]
Enterprise T1573 加密通道

gh0st RAT has encrypted TCP communications to evade detection.[5]
.001 Symmetric Cryptography

gh0st RAT uses RC4 and XOR to encrypt C2 traffic.[3]
Enterprise T1568 .001 动态解析: Fast Flux DNS

gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.[5]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

A gh0st RAT variant has used DLL side-loading.[2]
Enterprise T1140 反混淆/解码文件或信息

gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.[5]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

gh0st RAT has added a Registry Run key to establish persistence.[3][5]
Enterprise T1059 命令与脚本解释器

gh0st RAT is able to open a remote shell to execute commands.[1][3]
Enterprise T1113 屏幕捕获

gh0st RAT can capture the victim’s screen remotely.[3]
Enterprise T1132 .001 数据编码: Standard Encoding

gh0st RAT has used Zlib to compress C2 communications data before encrypting it.[5]
Enterprise T1106 本机API

gh0st RAT has used the InterlockedExchange, SeShutdownPrivilege, and ExitWindowsEx Windows API functions.[5]
Enterprise T1012 查询注册表

gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.[5]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

gh0st RAT is able to wipe event logs.[1][5]
.004 移除指标: File Deletion

gh0st RAT has the capability to to delete files.[1][5]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

A gh0st RAT variant has used rundll32 for execution.[2]
Enterprise T1082 系统信息发现

gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.[5]
Enterprise T1569 .002 系统服务: Service Execution

gh0st RAT can execute its service if the Service key exists. If the key does not exist, gh0st RAT will create and run the service.[5]
Enterprise T1105 输入工具传输

gh0st RAT can download files to the victim’s machine.[3][5]
Enterprise T1056 .001 输入捕获: Keylogging

gh0st RAT has a keylogger.[6][5]
Enterprise T1057 进程发现

gh0st RAT has the capability to list processes.[1]
Enterprise T1055 进程注入

gh0st RAT can inject malicious code into process created by the "Command_Create&Inject" function.[5]
Enterprise T1095 非应用层协议

gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.[5]

Groups That Use This Software

ID Name References
G0062 TA459

TA459 has used a Gh0st variant known as PCrat/Gh0st.[7]
G0096 APT41

[8]
G0011 PittyTiger

[9][10]
G0001 Axiom

[11][4]
G0027 Threat Group-3390

[12]
G0094 Kimsuky

[13]
G0065 Leviathan

[14]
G0026 APT18

[15]
G0126 Higaisa

[16]
G0138 Andariel

[17]
G1023 APT5

[18]

Campaigns

ID Name Description
C0016 Operation Dust Storm

[19]

References

  1. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  2. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
  3. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  4. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  5. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  6. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
  7. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  8. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  9. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
  10. Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
  1. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  2. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
  3. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  4. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  5. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.
  6. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  7. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  8. Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.
  9. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.