July 29, 2024 at 02:18AM
The Gh0st RAT is being delivered to Chinese-speaking Windows users by the Gh0stGambit evasive dropper through a drive-by download scheme. The infection originates from a fake website masquerading as Google’s Chrome browser. The malware is capable of various malicious activities, and the distribution via drive-by downloads highlights the need for ongoing security training and awareness programs.
From the meeting notes, the key takeaways are:
– The remote access trojan Gh0st RAT is being delivered by an evasive dropper called Gh0stGambit as part of a drive-by download scheme targeting Chinese-speaking Windows users.
– The infections stem from a fake website (“chrome-web[.]com”) serving malicious installer packages masquerading as Google’s Chrome browser, indicating that users searching for the software on the web are being targeted.
– Gh0st RAT has been observed in the wild since 2008 and is primarily orchestrated by China-nexus cyberespionage groups.
– The trojan has been deployed by infiltrating poorly-secured MS SQL server instances, using it as a conduit to install the Hidden open-source rootkit.
– The targeting of Chinese-speaking users is based on the use of Chinese-language web lures and applications targeted for data theft and defense evasion by the malware.
– The Gh0st RAT is capable of various malicious activities including terminating processes, removing files, capturing audio and screenshots, keylogging, data exfiltration, and more.
– Symantec observed an increase in phishing campaigns likely leveraging Large Language Models (LLMs) to generate malicious PowerShell and HTML code used to download various payloads.
This information highlights the evolving tactics used by cyber threat actors and emphasizes the importance of ongoing security training and awareness programs to combat such threats.