The remote access trojan known as Gh0st RAT has been observed being delivered by an “evasive dropper” known as Gh0stGambit as part of a drive-by download scheme targeting Chinese-speaking Windows users.
These infections are coming from a fake website (“chrome-web(.)com”) offering a malicious installer package disguised as Google’s Chrome browser, indicating that users searching for software on the web are being targeted.
Gh0st RAT is a long-standing piece of malware that has been observed in the wild since 2008 and has appeared in various variants over the years, primarily in campaigns orchestrated by China-linked cyberespionage groups.
Some versions of this Trojan have previously been deployed by compromising poorly secured MS SQL Server instances and using them as a conduit to install the Hidden open source rootkit.
Cybersecurity firm eSentire, which discovered the latest activity, said the attacks targeting Chinese-speaking users are based on “the use of Chinese-language web lures and Chinese-language applications to allow malware to steal data and evade defenses.”
The MSI installer downloaded from the fake website contains two files: a legitimate Chrome setup executable and a malicious installer (“WindowsProgram.msi”), the latter of which is used to launch shellcode that loads Gh0stGambit.
The dropper checks for the presence of security software (such as 360 Safe Guard or Microsoft Defender Antivirus) before establishing a connection with a command and control (C2) server to retrieve the Gh0st RAT.
“Gh0st RAT is written in C++ and has many features, including terminating processes, deleting files, capturing audio and screenshots, executing remote commands, keylogging, exfiltrating data, and hiding the registry, files, and directories with rootkit capabilities,” eSentire said.
It also has the ability to drop Mimikatz, enable RDP on compromised hosts, access account identifiers associated with Tencent QQ, clear Windows event logs, and wipe data from 360 Secure Browser, QQ Browser, and Sogou Explorer.
The Canadian company said the artifact overlaps with a variant of the Gh0st RAT that the AhnLab Security Intelligence Center (ASEC) is tracking under the name HiddenGh0st.
“Gh0st RAT has been widely used and modified by APTs and criminal groups over the past few years,” eSentire said. “Recent findings have revealed that the threat is being spread via drive-by downloads, tricking users into downloading a malicious Chrome installer from a fraudulent website.”
“The continued success of drive-by downloads reinforces the need for ongoing security training and awareness programs.”
The move comes after Broadcom-owned Symantec said it has seen an increase in phishing attacks that use large-scale language models (LLMs) to create malicious PowerShell and HTML code to download multiple loaders and stealers.
Security researchers Nguyen Hoang Giang and Yi Helen Chan said the emails contained “code used to download a variety of payloads, including Rhadamanthys, NetSupport RAT, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot and Dunihi (H-Worm).” “Analysis of the scripts used to deliver the malware in these attacks suggests they were generated using LLM.”
