A malicious Chrome installer, ChromeSetup.msi, distributed via drive-by download, delivers a novel Gh0st RAT variant, dubbed Gh0stGambit, that evasively retrieves and executes encrypted payloads.
The RAT is a modified open-source version targeting Chinese-speaking users with data theft and evasion capabilities, leveraging the long-standing Gh0st RAT, notorious for its use in cyber espionage operations, demonstrating continued threat actor interest in this versatile malware.
The MSI installer contains a legitimate Chrome installer and a malicious installer that drops a hidden loader and shellcode into the “C:Program FilesWindows Defenderr” directory, which executes the shellcode, which employs a 16-round block cipher with a counter mode to decrypt an encrypted payload.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The payload, identified as Gh0stGambit, is further decompressed using aPLib, and the shellcode’s structure indicates potential generation using the Donut loader, as evidenced by the decryption script.
.webp)
The Gh0stGambit Dropper Employs A Multi-Layered Evasion Technique.
It drops a batch script using a randomly generated GUID to initiate persistence and execute the main payload.
The dropper utilizes a unique registry manipulation to create a logical drive ‘L:’ and places a decoy file within the ‘Startup’ folder for post-reboot execution.
Additionally, it registers a new file extension ‘.VT’ associated with the main payload, obscuring its true nature, which aims to hinder detection and analysis by security solutions while ensuring the dropper’s continued operation.
.webp)
The dropper checks if Windows Defender is running and excludes a fake directory (“C:Program FilesWindows Defenderr”) if so. Otherwise, it creates a script to establish persistence across reboots.
This tool executes a separate script from a hidden location, creating registry entries to automatically run malicious files (“One Drive.lnk” and “Phone.exe”) at startup, and the dropper deletes temporary files used in the process to minimize forensic traces.
Gh0stGambit malware retrieves encrypted files marked by “/code32” (payload) and “/reg32” (registry tool) URLs, which are XOR-decrypted with a hardcoded 20-byte key that resets at byte offset 0x2C.
.webp)
Shellcode utilizes BKDR hashing for API function names, as it demonstrates BKDRHash calculations for the “VirtualAlloc” function, which originates from the DLLToShellCode tool, which converts DLLs to executable shellcode for memory-based execution, bypassing traditional DLL loading.
The Gh0st RAT variant is a C++-based remote access trojan with extensive capabilities, including process termination, file deletion, audio and screenshot capture, command execution, keylogging, data exfiltration, and rootkit functions.
It installs a driver to log keystrokes and executes various malicious commands to compromise systems, steal data, and establish persistent control.
The malware targets browser data, instant messaging accounts, and system settings while also manipulating user accounts and Remote Desktop Services for unauthorized access.
.webp)
Gh0st RAT is a malicious tool employing a rootkit to conceal its presence, steal sensitive data, extract domain information from the registry or use hardcoded fallback domains for command and control.
According to the eSentire Threat Response Unit, it deploys Mimikatz to harvest credentials, targets QQ users by collecting group and friend data, and utilizes a custom DLL to exfiltrate Chrome browsing data, demonstrating a focus on surveillance and credential theft.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo