Ghostr | |
Location | China |
Date of initial activity | 2017 |
Suspected attribution | Cybercriminal |
Government Affiliation | No |
Associated Groups | APT10(MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX) |
Motivation | Financial Gain |
Associated Tools | Poison Ivy, Plugx |
Overview
Government, Military and Economic sectors
Attack Vectors
Social Engineering, Phishing, Malicious Downloads
How they operate
The operation begins with initial access, where GHOSTR uses spear-phishing campaigns and exploits zero-day vulnerabilities to gain entry into targeted networks. These spear-phishing emails are meticulously crafted to appear legitimate, often mimicking trusted entities to increase the likelihood of success. Once inside, GHOSTR deploys custom malware, including remote access Trojans (RATs) like PlugX and Poison Ivy, to establish a persistent foothold within the compromised environment. This malware enables the group to maintain control over the system, execute commands, and facilitate further malicious activities.
Privilege escalation is a critical phase in GHOSTR’s operations. After gaining initial access, the group employs various techniques to elevate their privileges within the network. This may involve exploiting software vulnerabilities or using stolen credentials to access higher-level accounts. With elevated privileges, GHOSTR can move laterally across the network, accessing additional systems and data repositories. This lateral movement is often achieved through methods such as credential theft and exploitation of network shares, allowing the group to expand their control and gather more sensitive information.
Data collection and exfiltration are central to GHOSTR’s operations. The group focuses on extracting valuable data, including personal, financial, and confidential business information. They employ encrypted channels and stealthy methods to exfiltrate this data from the compromised network, minimizing the risk of detection. The stolen data is often sold or leaked on underground forums, providing GHOSTR with financial gains or strategic advantages.
To maintain their operational security, GHOSTR employs various evasion techniques. They use encryption to protect their communications and data, and regularly update their tactics and tools to stay ahead of security defenses. The group also practices meticulous cleanup, removing traces of their activities to avoid detection and prolong their access to compromised systems.
MITRE Tactics and Techniques
Initial Access
T1071: Application Layer Protocol
T1193: Spear Phishing Link
T1192: Spear Phishing Attachment
Execution
T1059: Command and Scripting Interpreter
T1106: Native API
Persistence
T1547: Boot or Logon Autostart Execution
T1060: Registry Run Keys / Start Folder
Privilege Escalation
T1068: Exploitation for Privilege Escalation
T1078: Valid Accounts
Defense Evasion
T1027: Obfuscated Files or Information
T1070: Indicator Removal on Host
Credential Access
T1003: Credential Dumping
T1555: Credentials from Password Stores
Lateral Movement
T1021: Remote Services
T1075: Pass the Ticket
Collection
T1005: Data from Local System
T1025: Data from Information Repositories
Exfiltration
T1041: Exfiltration Over Command and Control Channel
T1048: Exfiltration Over Alternative Protocol
Impact
T1499: Endpoint Denial of Service
T1203: Exploitation for Client Execution
