Gh0st RAT Trojan Targets Chinese Windows Users via Fake Chrome Site
-
“The remote access trojan known as Gh0st RAT has been observed being delivered by an "evasive dropper" called Gh0stGambit as part of a drive-by download scheme targeting Chinese-speaking Windows users. These infections stem from a fake website ("chrome-web[.]com") serving malicious installer packages masquerading as Google's Chrome browser, indicating that users searching for the software on the web are being singled out. Gh0st RAT is a long-standing malware that has been observed in the wild since 2008, manifesting in the form of different variants over the years in campaigns primarily orchestrated by China-nexus cyberespionage groups. Some iterations of the trojan have also been previously deployed by infiltrating poorly-secured MS SQL server instances, using it as a conduit to install the Hidden open-source rootkit. According to cybersecurity firm eSentire, which discovered the latest activity, the targeting of Chinese-speaking users is based on "the use of Chinese-language web lures and Chinese applications targeted for data theft and defense evasion by the malware." The MSI installer downloaded from the phony website contains two files, a legitimate Chrome setup executable and a malicious installer ("WindowsProgram.msi"), the latter of which is used to launch shellcode that's responsible for loading Gh0stGambit. The dropper, in turn, checks for the presence of security software (e.g., 360 Safe Guard and Microsoft Defender Antivirus) before establishing contact with a command-and-control (C2) server in order to retrieve Gh0st RAT. "Gh0st RAT is written in C++ and has many features, including terminating processes, removing files, capturing audio and screenshots, remote command execution, keylogging, data exfiltration, hiding registry, files, and directories via the rootkit capabilities, and many more," eSentire said.”
อ้างอิง
https://thehackernews.com/2024/07/gh0st-rat-trojan-targets-chinese.html
