November 30, 2023 at 04:08PM
A modified “Gh0st RAT” malware, called “SugarGh0st,” has been targeting South Koreans and Uzbekistan’s Ministry of Foreign Affairs. Distributed via phishing with decoy documents, the updated malware evades detection and allows remote access, data theft, and system manipulation. Originating from March 2008, Gh0st RAT remains effective due to its adaptability and open-source nature.
Meeting Takeaways:
1. A new variant of “Gh0st RAT” malware, named “SugarGh0st RAT,” has been identified targeting South Koreans and Uzbekistan’s Ministry of Foreign Affairs.
2. The “C.Rufus Security Team” from China is noted as the originator of Gh0st RAT, first appearing in March 2008, and it continues to be utilized especially within and around China, albeit in different forms.
3. The SugarGh0st RAT malware has been active since at least late August and is distributed through modified Windows shortcuts that contain malicious JavaScript. It also employs decoy documents to distract victims during the infection process.
4. The malware has been updated with features designed to evade detection by antivirus software.
5. Four samples of SugarGh0st RAT malware have been delivered through phishing attacks, disguised as archives with embedded Windows LNK shortcut files. The malware installs a 32-bit DLL payload while displaying decoy documents.
6. Once installed, SugarGh0st RAT can collect system data and provide attackers with full remote access, data exfiltration, process management, and the ability to delete event logs among other functions.
7. The malware includes a keylogger, screenshot tool, camera access, mouse manipulation, native Windows operation capabilities, and can execute arbitrary commands.
8. The new variant shows minor aesthetic changes from predecessors, including alterations to its command-and-control (C2) communication protocol to evade detection.
9. The enduring popularity of Gh0st RAT is attributed to its open-source nature, functionality, and ease of manipulation for a wide range of actors, as well as its high-quality build as a remote access Trojan (RAT).
10. The threat of this type of malware persists, as demonstrated by the ongoing use and modification of Gh0st RAT over a span of more than a decade.