loader gif

The odd case of a Gh0stRAT variant

The odd case of a Gh0stRAT variant (Malware and Vulnerabilities)

Additionally, this seems to be a lightweight version of Gh0stRAT, as it only has 12 commands, compared to the 73 for a full Gh0stRAT sample; 3 of those commands are undocumented. A second version of the script allows commands to be sent back to the malware, after I enumerated the exact command format for the sample. When sending commands, first the sample must login in with 0x65, then you can send commands to it. However, you have to move fast as the sample will send an Implant_Heartbeat followed by an Implant_Login every 10 seconds or so, and if you try to send a command to the sample as it is responding with either opcode, it will ignore the command. During my analysis of the sample, I was able to enumerate not only the opcode commands, but also the format of the proprietary protocol, allowing me to send my own commands to the sample. Command_Update_Server: This command passes the string “Gh0st Update” to the malware sample before running the sample again.

loader gif