gh0st RAT
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Mydoor | (Citation: Novetta-Axiom) |
| Moudoor | (Citation: Novetta-Axiom) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
gh0st RAT has added a Registry Run key to establish persistence.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
gh0st RAT can create a new service to establish persistence.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
gh0st RAT has used Zlib to compress C2 communications data before encrypting it.(Citation: Gh0stRAT ATT March 2019) |
| Enterprise | T1568 | .001 | Dynamic Resolution: Fast Flux DNS |
gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.(Citation: Gh0stRAT ATT March 2019) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
gh0st RAT uses RC4 and XOR to encrypt C2 traffic.(Citation: Nccgroup Gh0st April 2018) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
A gh0st RAT variant has used DLL side-loading.(Citation: Arbor Musical Chairs Feb 2018) |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
gh0st RAT is able to wipe event logs.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019) |
| .004 | Indicator Removal: File Deletion |
gh0st RAT has the capability to to delete files.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
gh0st RAT has a keylogger.(Citation: Alintanahin 2014)(Citation: Gh0stRAT ATT March 2019) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
A gh0st RAT variant has used rundll32 for execution.(Citation: Arbor Musical Chairs Feb 2018) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
gh0st RAT can execute its service if the Service key exists. If the key does not exist, gh0st RAT will create and run the service.(Citation: Gh0stRAT ATT March 2019) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0062 | TA459 |
(Citation: Proofpoint TA459 April 2017) |
|
(Citation: Cylance Dust Storm) |
||
| G0096 | APT41 |
(Citation: FireEye APT41 Aug 2019) |
| G0011 | PittyTiger |
(Citation: Bizeul 2014) (Citation: Villeneuve 2014) |
| G0001 | Axiom |
(Citation: Cisco Group 72) (Citation: Novetta-Axiom) |
| G0027 | Threat Group-3390 |
(Citation: Secureworks BRONZEUNION Feb 2019) |
| G0065 | Leviathan |
(Citation: CISA AA21-200A APT40 July 2021) |
| G0026 | APT18 |
(Citation: RSA2017 Detect and Respond Adair) |
| G0126 | Higaisa |
(Citation: Malwarebytes Higaisa 2020) |
| G0138 | Andariel |
(Citation: AhnLab Andariel Subgroup of Lazarus June 2018) |
References
- FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
- Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
- Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.
- Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
- Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
- Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
- Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.