Gh0st

Malware updated 6 months ago (2024-05-23T15:17:44.618Z)

Download STIX

Preview STIX

Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware contains a modified Gh0st backdoor as a payload, allowing unauthorized access to the infected system. Variants of Gh0st RAT, including Win32/Farfli.BUR and Win32/Farfli.CUO, were found in the second Windows cluster during the operation. These variants, identified by their unique hashes, differed from the standard Gh0st RAT in several ways, including the absence of the "Gh0st" header, which was randomized based on a seed value received from GetTickCount. The Gh0st RAT malware also shares code similarities with other malware strains, such as TunnelSpecter and SugarGh0st RAT. The latter emerged in November 2023 and was observed by Talos researchers targeting governments in Asia. While no clear similarity was found between TunnelSpecter and Gh0st RAT, a shared similarity was identified with another backdoor discovered during the attacks, SweetSpecter. This malware utilizes Gh0st RAT's known TCP communication scheme, sending a zlib compressed TCP packet to the command and control server. Operation Diplomatic Specter highlighted the use of customized Gh0st RAT samples in its attacks. One such example was a large file named Tpwinprn.dll, which was the first Gh0st RAT binary encountered during the attacks. Interestingly, this string was also observed in the Gh0st RAT variant used in an earlier campaign, Operation Iron Tiger, back in 2015. This demonstrates the enduring nature of the Gh0st RAT malware, which continues to be a significant threat due to its adaptability and the ability of its operators to customize it for specific attacks.

Description last updated: 2024-05-23T15:16:48.437Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
gh0st RAT is a possible alias for Gh0st. Gh0st RAT is a malicious software (malware) that has been in use for over 15 years. It is an open-source remote access tool known for exploiting vulnerabilities in systems, most notably the PHP flaw which it targeted within 24 hours of disclosure. This malware was observed as part of Operation Diplo	5
Sugargh0st is a possible alias for Gh0st. SugarGh0st is a malicious software (malware) variant first identified by Cisco Talos in November of the previous year. The malware, believed to be connected to China, has been deployed in cyberespionage campaigns primarily targeting the Ministry of Foreign Affairs in Uzbekistan and users in South Ko	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Windows

Rat

Backdoor

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The malware win32/farfli.blh Gh0st Rat is associated with Gh0st.	Unspecified	2
The malware Cfd900b77494574a01ea8270194f00e573e80f94 is associated with Gh0st.	Unspecified	2
The malware 5e4021ae96d4b28dd27382e3520e8333288d7095 is associated with Gh0st.	Unspecified	2
The malware A51a0bcce028966c4fcbb1581303980cf10669e0 is associated with Gh0st.	Unspecified	2
The malware win32/farfli.bur Gh0st Rat is associated with Gh0st.	Unspecified	2
The win32/farfli.cuo Gh0st Rat Malware is associated with Gh0st. The Win32/Farfli.CUO Gh0st RAT is a significant vulnerability that poses a threat to the security of Windows systems. It represents a flaw in software, design, or implementation that allows unauthorized access and control over affected systems. This variant of the Gh0st RAT (Remote Access Trojan) ha	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability A51a0bcce028966c4fcbb1581303980cf10669e0 templatex.txt win32/farfli.cuo Gh0st Rat is associated with Gh0st.	Unspecified	2

Source Document References

Information about the Gh0st Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	6 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Checkpoint	a year ago	4th December – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Suspected China-based hackers target Uzbekistan gov’t, South Koreans, Cisco says \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	a year ago	A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets
CERT-EU	2 years ago	Space Pirates: analyzing the tools and connections of a new hacker group
MITRE	2 years ago	BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
MITRE	2 years ago	COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
CERT-EU	2 years ago	Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets \| WeLiveSecurity
MITRE	2 years ago	New LNK attack tied to Higaisa APT discovered \| Malwarebytes Labs
ESET	2 years ago	Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets \| WeLiveSecurity
MITRE	2 years ago	Decoding network data from a Gh0st RAT variant
MITRE	2 years ago	Musical Chairs Playing Tetris \| NETSCOUT