Ghost419

Ghost419 is a malicious software, or malware, that first emerged in the wild on December 18, 2017. It is one of several implants, including Gold Dragon, Brave Prince, and Running Rat, which were named based on phrases found within their code. These implants appeared in December 2017 and demonstrate a much broader campaign than previously known. Ghost419 is particularly noteworthy due to its Korean-language implant and its traceability to an earlier version created on July 29, 2017, without the hardcoded identifier. The malware Ghost419 shares significant similarities with the Gold Dragon and Brave Prince implants, indicating that it was based on these predecessors. Shared elements and code, especially for system reconnaissance functions, are evident across these malware variants. The string "WebKitFormBoundarywhpFxMBe19cSjFnG," part of the upload mechanism, also appears in the Gold Dragon variants from late December 2017, further highlighting the interconnected nature of these malicious programs. Ghost419 has been found hardcoded in the malware binary, suggesting that it's deeply embedded within the system it infects. Its user agent string, another unique identifier, has also been noted. The most recent sample of Ghost419 was discovered just two days before the spear phishing email incident related to the Olympics, implying that this malware may be used in conjunction with other cyber threats to exploit and damage computer systems.