| Name | Gh0st |
| Additional Names | 7hero, Adobe, B1X6Z, BEiLa, BeiJi, ByShe, FKJP3, FLYNN |
| Type of Malware | RAT |
| Location – Country of Origin | Gh0st Remote Administration Tool was created by a Chinese hacking group named C. Rufus Security Team |
| Date of initial activity | 2011 |
| Associated Groups | Axiom, Threat Group-3390, APT41, Leviathan, Higaisa, TA459, PittyTiger, Andariel, APT18 |
| Motivation | Surveillance and espionage. However, since Gh0st RAT’s source code is publicly available, it remains plausible that any threat actor could download and modify the code for their own needs. intellectual property theft against healthcare and technology companies |
| Attack Vectors | Phishing campaigns |
| Targeted System | Windows, macOS |
Overview
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that enables an attacker to fully control the infected device.
Targets
Governments, embassies, economic targets, and media.
Tools/ Techniques Used
Gh0st RAT can:
- Take full control of the remote screen on the infected bot.
- Provide real time as well as offline keystroke logging.
- Provide live feed of webcam, microphone of infected host.
- Download remote binaries on the infected remote host.
- Take control of remote shutdown and reboot of host.
- Disable infected computer remote pointer and keyboard input.
- Enter into shell of remote infected host with full control.
- Provide a list of all the active processes.
- Clear all existing SSDT of all existing hooks.
Impact / Significant Attacks
Operation Dust Storm, One such breach was the operation known as “GhostNet” in 2009, in which a large-scale cyber-attack used Gh0st RAT to conduct surveillance and espionage. The breach impacted the Dalai Lama’s Tibetan exile centers in multiple countries.
Indicators of Compromise (IoCs)
MD5 Hashes
77bd9926a4b41c14259e20c1f90e22aa
