Gh0stCringe RAT Being Distributed to Vulnerable Database Servers – ASEC BLOG

MITRE Techniques

• [T1105] Ingress Tool Transfer – Downloader: Downloads additional payload from the C&C server and executes it. Quote: “Downloads additional payload from the C&C server and executes it. Can send specific arguments.”
• [T1218.011] Signed Binary Proxy Execution: Rundll32 – Rundll32 process termination: If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running. Quote: “Rundll32 process termination [On/Off] If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running.”
• [T1056.001] Keylogging – Keylogging: If turned on, keylogging thread operates. Quote: “Keylogger [On/Off]: If turned on, keylogging thread operates.” and “The keylogging feature can operate by receiving a command from the C&C server, and it can also be activated depending on the settings data. (GetAsyncKeyState())”
• [T1027] Obfuscated/Encrypted Data – The data that has been created goes through a self-encoding method and is ultimately encrypted. Quote: “The data that has been created goes through a self-encoding method and is ultimately encrypted.”
• [T1543.003] Create/Modify Windows Service – Mode #2 registers to a service; persistence is maintained. Quote: “Mode #2: The malware copies itself to the path %ProgramFiles%Cccogae.exe’ and registers to ‘Rsuyke mkgcgkuc’ service. When it executes the service, it gives ‘Win7’ as the argument and executes Gh0stCringe. As the service is registered in a proper way, persistence is maintained.”
• [T1547.001] Run Keys/Startup Folder – Mode Windows 10: It registers to HKCU Run Key, enabling it to maintain persistence. Quote: “Mode Windows 10: It registers to HKCU Run Key, enabling it to maintain persistence.”
• [T1082] System Information Discovery – Structure of data collected from the infected system: IP address of the infected system, host name, Windows version, CPU info, memory, etc. Quote: “Table 1. Structure of data collected from the infected system” and “IP address of the infected system.”
• [T1041] Exfiltration Over C2 Channel – The infected data is sent to the C&C server after collection. Quote: “sends it to the C&C server” and “communicates periodically, waiting for the attacker’s command.”
• [T1561.002] Disk Wipe – Destroying MBR: Command to destroy the MBR is available. Quote: “Destroying MBR.”
• [T1012] Query Registry – Installed security products: The malware notes the list of installed security products. Quote: “The most noticeable collected data is the list of installed security products.”
• [T1100] Brute Force/Dictionary Attacks – Credential attacks against poorly managed accounts: Quote: “Typical attacks that target database servers (MS-SQL, MySQL) include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed.”