Hackers Use Gh0st RAT to Hijack Internet Café Systems for Crypto Mining
Hackers have been targeting Internet cafés in South Korea since the second half of 2024, exploiting specialized management software to install malicious tools for cryptocurrency mining.
According to a detailed report from AhnLab SEcurity intelligence Center (ASEC), the attackers, active since 2022, are using the notorious Gh0st RAT (Remote Access Trojan) to seize control of systems, ultimately deploying the T-Rex CoinMiner to mine cryptocurrencies like Ethereum and RavenCoin.
This campaign specifically focuses on systems running Korean Internet café management programs, which are integral for tracking customer usage and calculating fees.
Target South Korean Internet Cafés
Although the exact method of initial access remains under investigation, the scale and precision of these attacks suggest a deep understanding of the targeted software by the threat actors, believed to be linked to Chinese-speaking groups due to Gh0st RAT’s origins with the C. Rufus Security Team.
The attackers deploy a multi-layered arsenal of malware, starting with Gh0st RAT and its droppers, often packed with tools like Themida or MPRESS for obfuscation.
Once installed, typically in paths such as “C:map1800000.dll,” Gh0st RAT registers as a system service, enabling remote control features including file and process manipulation, keylogging, and screen capturing.
Communication with command-and-control (C&C) servers uses a signature string “Level” instead of the typical “Gh0st,” showcasing a customized variant.
Beyond remote access, the hackers use additional payloads like Patcher malware to manipulate the memory of management software processes, ensuring persistence through strategic file placements disguised as legitimate system files like “cmd.exe.”
Technical Breakdown of the Malware Arsenal
Downloaders facilitate the delivery of further malicious components, including the GPU-focused T-Rex CoinMiner, chosen for its efficiency on high-performance gaming PCs common in Internet cafés.
Paths such as “%ProgramFiles% (x86)Windows NTmmc.exe” are exploited for installation, with file names frequently altered to evade updates from software providers.
Notably, some malware strains like KillProc are designed to terminate competing miners or security processes, further securing the attackers’ foothold.
This sophisticated orchestration highlights a primary motive of cryptocurrency mining, augmented by occasional use of tools like PhoenixMiner.
The implications of these attacks are severe for Internet café operators, who must now prioritize system security.
ASEC recommends keeping operating systems and management software updated to patch vulnerabilities, alongside ensuring security products are current to detect and block malware.
Administrators are urged to monitor for specific Indicators of Compromise (IoCs) provided by AhnLab, including file hashes, URLs, and IP addresses associated with these attacks, to swiftly identify and mitigate infections.
Indicators of Compromise (IoCs)
| Type | Value |
|---|---|
| MD5 Hash | 04840bb2f22c28e996e049515215a744 |
| 0b05b01097eec1c2d7cb02f70b546fff | |
| 142b976d89400a97f6d037d834edfaaf | |
| 15ba916a57487b9c5ceb8c76335b59b7 | |
| 15d6f2a36a4cd40c9205e111a7351643 | |
| URL | http://112.217.151.10/config.txt |
| http://112.217.151.10/mm.exe | |
| http://112.217.151.10/pms.exe | |
| http://112.217.151.10/statx.exe | |
| http://121.67.87.250/3.exe | |
| IP Address | 103.25.19.32 |
| 113.21.17.102 | |
| 115.23.126.178 | |
| 121.147.158.132 | |
| 122.199.149.129 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
