Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

gh0st RAT

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)
ID: S0032
Associated Software: Mydoor Moudoor
Type: MALWARE
Platforms: Windows
Version: 3.3
Created: 31 May 2017
Last Modified: 07 May 2024

Associated Software Descriptions

Name Description
Mydoor (Citation: Novetta-Axiom)
Moudoor (Citation: Novetta-Axiom)

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

gh0st RAT has added a Registry Run key to establish persistence.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

gh0st RAT can create a new service to establish persistence.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019)

Enterprise T1132 .001 Data Encoding: Standard Encoding

gh0st RAT has used Zlib to compress C2 communications data before encrypting it.(Citation: Gh0stRAT ATT March 2019)

Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.(Citation: Gh0stRAT ATT March 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

gh0st RAT uses RC4 and XOR to encrypt C2 traffic.(Citation: Nccgroup Gh0st April 2018)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

A gh0st RAT variant has used DLL side-loading.(Citation: Arbor Musical Chairs Feb 2018)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

gh0st RAT is able to wipe event logs.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019)

.004 Indicator Removal: File Deletion

gh0st RAT has the capability to to delete files.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019)

Enterprise T1056 .001 Input Capture: Keylogging

gh0st RAT has a keylogger.(Citation: Alintanahin 2014)(Citation: Gh0stRAT ATT March 2019)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

A gh0st RAT variant has used rundll32 for execution.(Citation: Arbor Musical Chairs Feb 2018)

Enterprise T1569 .002 System Services: Service Execution

gh0st RAT can execute its service if the Service key exists. If the key does not exist, gh0st RAT will create and run the service.(Citation: Gh0stRAT ATT March 2019)

Groups That Use This Software

ID Name References
G0062 TA459

(Citation: Proofpoint TA459 April 2017)

(Citation: Cylance Dust Storm)

G0096 APT41

(Citation: FireEye APT41 Aug 2019)

G0011 PittyTiger

(Citation: Bizeul 2014) (Citation: Villeneuve 2014)

G0001 Axiom

(Citation: Cisco Group 72) (Citation: Novetta-Axiom)

G0027 Threat Group-3390

(Citation: Secureworks BRONZEUNION Feb 2019)

G0094 Kimsuky

(Citation: Mandiant APT43 March 2024)

G0065 Leviathan

(Citation: CISA AA21-200A APT40 July 2021)

G0026 APT18

(Citation: RSA2017 Detect and Respond Adair)

G0126 Higaisa

(Citation: Malwarebytes Higaisa 2020)

G0138 Andariel

(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)

G1023 APT5

(Citation: Secureworks BRONZE FLEETWOOD Profile)

References

  1. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  2. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  3. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  4. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
  5. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  6. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  7. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  8. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  9. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
  10. Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
  11. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  12. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
  13. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  14. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  15. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.
  16. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
  17. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  18. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  19. Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.