Threat Research

Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release

Securonix

Gh0st RAT is a decades-old open-source remote administration tool that still shows up in phishing campaigns, including against a European medical technology organization, highlighting its enduring availability and adaptability. While once tied to nation-state activity such as GhostNet, the tool’s public source code means various actors can tailor its capabilities—for example keystroke logging, webcam/mic access, remote file download, and full remote control—continuing to put high-value targets at risk. #Gh0stRAT #GhostNet #APT27 #DalaiLama

Keypoints

  • Gh0st RAT is a long-standing open-source RAT first released in 2008 by C. Rufus Security Team.
  • Its feature set includes full machine control, real-time keystroke logging, live webcam and microphone access, and remote file operations.
  • Historically used by Chinese nation-state actors and linked to GhostNet (2009) against high-value targets like the Dalai Lama’s exile centers.
  • Recent Cofense Intelligence findings show a modern phishing campaign delivering Gh0st RAT to a European-owned medical technology organization in China, with a C2 server on CHINANET in Nanjing.
  • Because the source code is public, any actor can download and customize Gh0st RAT for their needs, blurring connections to specific groups.
  • The campaign leverages themes such as unpaid invoices to lure victims, illustrating social engineering alongside malware delivery.

MITRE Techniques

  • [T1056.001] Keylogging – Recording keystrokes in real time with offline logging available. “[Recording keystrokes in real time with offline logging available.]”
  • [T1125] Video Capture – Accessing live web cam feeds including microphone recording. “[Accessing live web cam feeds including microphone recording.]”
  • [T1105] Ingress Tool Transfer – Downloading files remotely. “[Downloading files remotely.]”
  • [T1489] System Shutdown/Restart – Remote shutdown and reboot. “[Remote shutdown and reboot.]”
  • [T1562.001] Impair Defenses – Disabling user input. “[Disabling user input.]”
  • [T1071.001] Web Protocols – The sample’s C2 server located on CHINANET network in Nanjing and HTTP-based C2 activity. “[The sample’s command and control (C2) server is also located on the CHINANET Jiangsu province network in the city of Nanjing.]”

Indicators of Compromise

  • [Files] – 1680478346389.zip (MD5: 9e6c45b6b8b20bf3c5959dbba8f27117), LiveUpdate360.dat (MD5: f149d3f3ef0361ebe4d346811f29b527), LiveUpdate.exe (MD5: 96e4b47a136910d6f588b40d872e7f9d), setting.ini (MD5: 91aab4bbe634be62d11d132738c23a82), SqlVersion9.dll (MD5: 317f9ff06c076e87e5b1d11242396d5f), and 2 more hashes
  • [URLs] – hxxps://api[.]youkesdt[.]asia/admin/down/hash/79b7c6ed-c4d8-4b36-b1cd-f968e6570010, hxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/SqlVersion9[.]dll, hxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/Media[.]xml, hxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/LiveUpdate360[.]dat, hxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/LiveUpdate[.]exe, hxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/223[.]114[.]txt, and 4 more URLs
  • [IP] – 61.160.223.114:18076 (C2 server address used for command and control)

Read more: https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/