Phantom RAT Trojan Targets Chinese Windows Users through Bogus Chrome Website
Seen as part of a deceptive drive-by installation ploy aimed at Chinese-speaking Windows users, the malicious Gh0st RAT trojan is being distributed via a stealthy loader software dubbed Gh0stGambit.
These infections trace back to a counterfeit site (“chrome-web[.]com”) dispensing harmful software installation files disguised as Google’s Chrome browser, indicating a deliberate targeting of users seeking the application online.
Gh0st RAT is a well-established malicious software that has been active in the wild since 2008, presenting itself in various forms over the years in operations predominantly led by Chinese-linked cyber spying factions.
Past versions of the trojan have also been seen connecting to vulnerable MS SQL servers to install the Hidden open-source rootkit, as highlighted in a prior report.
Per researchers from cybersecurity company eSentire, who made the discovery, the focus on Chinese-speaking users is explained by “the employment of Chinese-themed web enticements and Chinese applications chosen for data theft and evading defense by the malware.”
The corrupted MSI installer downloaded from the fake website carries two components – a legitimate Chrome setup program and a malevolent installer (“WindowsProgram.msi”), with the latter triggering shellcode execution to introduce Gh0stGambit.
In addition, the dropper checks for the existence of security tools like 360 Safe Guard and Microsoft Defender Antivirus before connecting to a command-and-control (C2) server to fetch Gh0st RAT.
“Gh0st RAT, developed using C++, comes loaded with an array of capabilities including process termination, file deletion, audio and screen capture, remote command execution, keylogging, data theft, concealing registry entries, files, and directories by leveraging rootkit features, among others,” as revealed by eSentire.
It additionally has the competence to deploy Mimikatz, enable Remote Desktop Protocol (RDP) on the compromised machines, extract account identifiers linked to Tencent QQ, wipe Windows event logs, and erase data from browsers like 360 Secure Browser, QQ Browser, and Sogou Explorer.
The Canadian firm also mentioned that the detected artifact has similarities with a variant of Gh0st RAT monitored by the AhnLab Security Intelligence Center (ASEC) under the alias HiddenGh0st.
“Gh0st RAT has been extensively employed and tweaked by APT and criminal factions in the past few years,” remarked eSentire. “The latest discoveries emphasize the spread of this threat through drive-by installations, tricking users into downloading a deceitful Chrome installer from a fraudulent website.”
“The continuous success of drive-by installations underscores the necessity for ongoing security education and awareness initiatives.”
On another front, Symantec, a company owned by Broadcom, reported a rise in phishing campaigns that potentially utilize Large Language Models (LLMs) to generate malevolent PowerShell and HTML scripts for downloading multiple loaders and stealers.
The emails contain “scripts used to download different payloads, such as Rhadamanthys, NetSupport RAT, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm),” shared security researchers Nguyen Hoang Giang and Yi Helen Zhang in a statement. “Examination of the scripts utilized to distribute malware in these incursions proposes that they were crafted with the help of LLMs.”
About Author
