Gh0st

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware contains a modified Gh0st backdoor as a payload, allowing unauthorized access to the infected system. Variants of Gh0st RAT, including Win32/Farfli.BUR and Win32/Farfli.CUO, were found in the second Windows cluster during the operation. These variants, identified by their unique hashes, differed from the standard Gh0st RAT in several ways, including the absence of the "Gh0st" header, which was randomized based on a seed value received from GetTickCount. The Gh0st RAT malware also shares code similarities with other malware strains, such as TunnelSpecter and SugarGh0st RAT. The latter emerged in November 2023 and was observed by Talos researchers targeting governments in Asia. While no clear similarity was found between TunnelSpecter and Gh0st RAT, a shared similarity was identified with another backdoor discovered during the attacks, SweetSpecter. This malware utilizes Gh0st RAT's known TCP communication scheme, sending a zlib compressed TCP packet to the command and control server. Operation Diplomatic Specter highlighted the use of customized Gh0st RAT samples in its attacks. One such example was a large file named Tpwinprn.dll, which was the first Gh0st RAT binary encountered during the attacks. Interestingly, this string was also observed in the Gh0st RAT variant used in an earlier campaign, Operation Iron Tiger, back in 2015. This demonstrates the enduring nature of the Gh0st RAT malware, which continues to be a significant threat due to its adaptability and the ability of its operators to customize it for specific attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
gh0st RAT
5
Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
Sugargh0st
3
SugarGh0st is a malicious software (malware) variant first identified by Cisco Talos in November of the previous year. The malware, believed to be connected to China, has been deployed in cyberespionage campaigns primarily targeting the Ministry of Foreign Affairs in Uzbekistan and users in South Ko
Sugargh0st Rat
1
SugarGh0st RAT is a relatively new variant of the Gh0st RAT malware, first identified by researchers at Cisco Talos in November 2023. This Remote Access Trojan (RAT) has been used to carry out cyberespionage and surveillance campaigns against various targets, including government officials in Uzbeki
Bh_a006
1
BH_A006 is a sophisticated malware, named after the string constantly found in PDB paths and internal names of DLL libraries associated with the backdoor. This malware is part of the BH_A006 family of backdoor samples, which has been found to use an obfuscated unknown protector at one of its stages.
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Rat
Backdoor
Trojan
Apt
Encryption
Beacon
Decoy
Sandbox
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
win32/farfli.bur Gh0st RatUnspecified
2
None
win32/farfli.cuo Gh0st RatUnspecified
2
The Win32/Farfli.CUO Gh0st RAT is a significant vulnerability that poses a threat to the security of Windows systems. It represents a flaw in software, design, or implementation that allows unauthorized access and control over affected systems. This variant of the Gh0st RAT (Remote Access Trojan) ha
win32/farfli.blh Gh0st RatUnspecified
2
None
Cfd900b77494574a01ea8270194f00e573e80f94Unspecified
2
None
5e4021ae96d4b28dd27382e3520e8333288d7095Unspecified
2
None
A51a0bcce028966c4fcbb1581303980cf10669e0Unspecified
2
None
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
ZLibUnspecified
1
Zlib is a known malware, a harmful program designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can cause significant damage, including stealing personal information, disrupting opera
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Iron TigerUnspecified
1
Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group known for executing malicious actions with the intent of espionage. The group became prominent after its involvement in Operation Iron Tiger, which was reported in 2015. This operation was a series of Chinese cyber-espionage att
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
Source Document References
Information about the Gh0st Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
2 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Checkpoint
8 months ago
4th December – Threat Intelligence Report - Check Point Research
CERT-EU
8 months ago
Suspected China-based hackers target Uzbekistan gov’t, South Koreans, Cisco says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
8 months ago
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets
CERT-EU
a year ago
Space Pirates: analyzing the tools and connections of a new hacker group
MITRE
a year ago
BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
MITRE
a year ago
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
CERT-EU
a year ago
Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets | WeLiveSecurity
MITRE
a year ago
New LNK attack tied to Higaisa APT discovered | Malwarebytes Labs
ESET
a year ago
Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets | WeLiveSecurity
MITRE
a year ago
Decoding network data from a Gh0st RAT variant
MITRE
a year ago
Musical Chairs Playing Tetris | NETSCOUT