Sign in Subscribe
By Zach Hilbert

gh0st

What is gh0st?

"GH0ST RAT is a backdoor derived from public source code. It may also be detected as Backdoor.APT.Gh0stRat. The compiled source code provides attackers with many ways to control a victim’s system, including the ability to create, manipulate, delete, launch, or transfer files; perform screen or audio capture; enable a webcam; list or kill processes; open a command shell; and wipe event logs. However, since the source code is public, threat groups may tailor the code by removing or adding functionality." [1]

Aliases

Associated Individuals

  • APT3
  • APT18
  • PittyTiger
  • TA459

Notable Attacks

Gh0st malware was used in recent EternalBlue attacks and documented by FireEye in June of 2017. [2]

Tactics

Called to 223.25.233.248

Targets

References

[1] - https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html

[2] - https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

[3] - https://www.fireeye.com/blog/threat-research/2012/11/backdoor-addnew-darkddoser-and-gh0st-a-match-made-in-heaven.html

[4] - https://www.scmagazine.com/home/security-news/researchers-demo-how-machine-learning-can-be-used-to-track-gh0st-rat-variants/

[5] - https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/

[6] - https://www.sans.org/reading-room/whitepapers/detection/paper/37032

[7] - https://attack.mitre.org/software/S0032/

Subscribe to Gambitsec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe