Gh0st

Malware Profile Updated 7 days ago
Download STIX
Preview STIX
Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware contains a modified Gh0st backdoor as a payload, allowing unauthorized access to the infected system. Variants of Gh0st RAT, including Win32/Farfli.BUR and Win32/Farfli.CUO, were found in the second Windows cluster during the operation. These variants, identified by their unique hashes, differed from the standard Gh0st RAT in several ways, including the absence of the "Gh0st" header, which was randomized based on a seed value received from GetTickCount. The Gh0st RAT malware also shares code similarities with other malware strains, such as TunnelSpecter and SugarGh0st RAT. The latter emerged in November 2023 and was observed by Talos researchers targeting governments in Asia. While no clear similarity was found between TunnelSpecter and Gh0st RAT, a shared similarity was identified with another backdoor discovered during the attacks, SweetSpecter. This malware utilizes Gh0st RAT's known TCP communication scheme, sending a zlib compressed TCP packet to the command and control server. Operation Diplomatic Specter highlighted the use of customized Gh0st RAT samples in its attacks. One such example was a large file named Tpwinprn.dll, which was the first Gh0st RAT binary encountered during the attacks. Interestingly, this string was also observed in the Gh0st RAT variant used in an earlier campaign, Operation Iron Tiger, back in 2015. This demonstrates the enduring nature of the Gh0st RAT malware, which continues to be a significant threat due to its adaptability and the ability of its operators to customize it for specific attacks.
What's your take? (Question 1 of 5)
4acb277e-db3f-4671-bd16-e626d40da8ae Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
gh0st RAT
5
Gh0st RAT is a malicious software (malware) designed to exploit and damage computer systems. It is capable of infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data for ra
Sugargh0st
3
SugarGh0st is a potent malware strain that was first detected by Cisco Talos in November of the previous year. This malicious software, believed to be linked to Chinese hackers, has been used for cyberespionage campaigns against various entities worldwide. The malware has been particularly active si
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Rat
Backdoor
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
win32/farfli.blh Gh0st RatUnspecified
2
None
Cfd900b77494574a01ea8270194f00e573e80f94Unspecified
2
None
5e4021ae96d4b28dd27382e3520e8333288d7095Unspecified
2
None
A51a0bcce028966c4fcbb1581303980cf10669e0Unspecified
2
None
win32/farfli.bur Gh0st RatUnspecified
2
None
win32/farfli.cuo Gh0st RatUnspecified
2
The Win32/Farfli.CUO Gh0st RAT is a significant vulnerability that poses a threat to the security of Windows systems. It represents a flaw in software, design, or implementation that allows unauthorized access and control over affected systems. This variant of the Gh0st RAT (Remote Access Trojan) ha
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
Source Document References
Information about the Gh0st Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Musical Chairs Playing Tetris | NETSCOUT
Unit42
7 days ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
MITRE
a year ago
Decoding network data from a Gh0st RAT variant
CERT-EU
a year ago
Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets | WeLiveSecurity
ESET
a year ago
Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets | WeLiveSecurity
DARKReading
6 months ago
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets
CERT-EU
6 months ago
Suspected China-based hackers target Uzbekistan gov’t, South Koreans, Cisco says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Space Pirates: analyzing the tools and connections of a new hacker group
MITRE
a year ago
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
MITRE
a year ago
BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
MITRE
a year ago
New LNK attack tied to Higaisa APT discovered | Malwarebytes Labs
Checkpoint
6 months ago
4th December – Threat Intelligence Report - Check Point Research