Ghost RAT: An outline on the Remote Access Trojan’s high profile targets

• Gh0st RAT primarily targets government agencies, embassies, foreign ministries, and other government and military offices across Southern and Southeastern Asian countries.
• Its capabilities include keystroke logging, disabling the infected machine’s remote pointer and keyboard input, activating a system’s microphone and webcam, shutting down and rebooting the host, taking full control of the remote screen of the infected device, and more.

Gh0st RAT is a Windows-based Remote Access Trojan. The trojan’s capabilities include keystroke logging, disabling the infected machine’s remote pointer and keyboard input, downloading remote binaries on the infected remote host, providing a list of all active processes, activating a system’s microphone and webcam, shutting down and rebooting the host, and taking full control of the remote screen of the infected device.

What are its targets?

Gh0st RAT primarily targets government agencies, embassies, foreign ministries, and other government and military offices across Southern and Southeastern Asian countries, with a particular focus on the exiled Tibetan government and the Dalai Lama.

Gh0st RAT distributed via a spear phishing campaign

In June 2013, Gh0st RAT was distributed via a spear phishing campaign purporting to come from the Taiwan Bureau of National Health Insurance. The phishing emails included a malicious link, which upon clicking redirected users to a phishing page, where an official-looking RAR archive file gets downloaded. This malicious file installed and executed the Gh0st RAT.

EternalBlue exploit distribute Ghost RAT

In June 2017, attackers leveraged the EternalBlue exploit in Microsoft Server Message Block (SMB) protocol to distribute the Gh0st RAT. The Gh0st RAT sample observed in this attack was signed with a common digital certificate purporting to be from the Beijing Institute of Science and Technology Co., Ltd.

Daserf malware linked with Gh0st RAT

Tick threat group’s Daserf malware has been observed sharing its infrastructure with the backdoors Invader and Minzen, the trojans Gh0st RAT and 9002 RAT, and the downloader HomamDownloader. Furthermore, Daserf has also shared cipher code with Gh0st RAT.

Vulnerabilities found in Gh0st RAT

Security researchers detected vulnerabilities in Gh0st RAT that could allow victims to extract files from the attacker’s own server. Gh0st RAT while transferring files from the victim’s server to the attacker's server, does not validate whether the attacker requested the file in the first place. This could allow victims to deliberately upload their own file to the attacker’s infrastructure, and install a backdoor on the attacker’s server.

Operation PZChao

In February 2018, an attack campaign dubbed ‘Operation PZChao’ targeted government agencies, as well as technology, education, and telecommunications sectors in Asia and the United States. The attack campaign dropped a Bitcoin miner, two versions of Mimikatz, and a modified version of Gh0st RAT. The campaign’s final payload was the Gh0st RAT.

Updated Gh0st RAT variant

In 2019, researchers observed an updated variant of the Gh0st RAT, which is capable of downloading additional malware, cleaning event logs, file management, shell command execution, and offline keylogging. This variant has also changed its header from ‘Gh0st’ to ‘nbLGX’.

Contrast to the previous versions, this version uses encryption over the entire TCP segment in order to evade detection.