Threat Research

HiddenGh0st Malware Attacking MS-SQL Servers – ASEC BLOG

Securonix

Gh0st RAT variants, including HiddenGh0st, are actively used to attack MS-SQL servers and deploy a public rootkit to hide infections and protect malicious activity. The operation collects extensive system data, exfiltrates credentials via Mimikatz, and enables remote control features such as keylogging, screen capture, and remote desktop, with C2 communications and in-memory execution to evade detection. Hashtags: #Gh0stRAT #HiddenGh0st

Keypoints

  • Gh0st RAT variants, including HiddenGh0st, are used against MS-SQL and MySQL servers and constitute a substantial portion of attacks per ASECs quarterly statistics.
  • HiddenGh0st installs the Hidden open-source rootkit to hide files, registry entries, and processes, enabling stealth and persistence.
  • The malware delivers a rich configuration payload (C2, install method, rootkit activation) and can download additional payloads, with a possible public IP lookup option.
  • Installation can occur as a Windows service or via the Startup folder, with specifics like symlink tricks and dummy data used for persistence and anti-removal.
  • Infected hosts routinely transmit a wide set of system information to the C2 server, including QQ Messenger data, and communications are encrypted.
  • HiddenGh0st supports extensive remote-control commands (FileManager, ScreenManager, KeyboardManager, ShellManager, etc.), credential harvesting via Mimikatz, and RDP-related capabilities for remote access.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The malware is distributed in a packed state to evade file detection and decrypts the actual PE in the DATA section before execution. Quote: ‘distributed in a packed state to evade file detection. After decrypting the actual PE file encrypted in the DATA section, it is executed in the memory.’
  • [T1056.001] Keylogging – The variant includes a keylogger and uses commands to enable keylogging; keylogging data is written to a file. Quote: ‘[KeyboardManager] Keylogger’
  • [T1113] Screen Capture – The malware can capture the screen as part of its commands. Quote: ‘[ScreenManager] Captures screen, exfiltrates and changes clipboard contents’
  • [T1003] Credential Dumping – It installs Mimikatz and can dump credentials from memory. Quote: ‘GetMP privilege::debug sekurlsa::logonpasswords exitrn’
  • [T1021.001] Remote Services – Remote control features including activation/deactivation of remote desktop and related settings. Quote: ‘Remote control-related: Activates/deactivates remote desktop, changes remote desktop port number, activates guest account, activates Internet sharing, configures/deletes user account, etc.’
  • [T1543.003] Windows Service – HiddenGh0st registers as a service during Installation Mode #1 and re-launches with -auto. Quote: ‘register as a service… with the “-auto” argument during service registration’
  • [T1547.001] Boot or Logon Autostart – It copies itself to the startup folder for persistence. Quote: ‘copies itself to the startup folder’
  • [T1564.001] Hide Artifacts: File/Directory – Hidden hides files and directories via the Hidden rootkit/mini-filter driver. Quote: ‘hiding files’ and ‘Hid_HideFsDirs’
  • [T1564.004] Hide Artifacts: Registry – The rootkit hides registry keys/values via CmRegisterCallbackEx and related settings. Quote: ‘HideRegKeys’ and ‘HideRegValues’
  • [T1041] Exfiltration Over C2 Channel – Data is encrypted and sent to the C2 server, showing exfiltration over a C2 channel. Quote: ‘The data ultimately goes through an encryption process before being sent to the C&C server.’
  • [T1071.001] Web Protocols – C2 communications use a domain and port (HTTP-based) to reach the C2 server. Quote: ‘C&C URL… leifenghackyuankong.e3.luyouxia[.]net:14688’

Indicators of Compromise

  • [Domain] leifenghackyuankong.e3.luyouxia[.]net – C2 server address and port 14688 (domain-based C2)
  • [Port] 14688 – C2 server port used for communication
  • [MD5] 69cafef1e25734dea3ade462fead3cc9, 0d92b5f7a0f338472d59c5f2208475a3, 4e34c068e764ad0ff0cb58bc4f143197 – hashes associated with HiddenGh0st/related binaries
  • [FileName] QAssist.sys – Hidden rootkit driver filename (Rootkit/Sys file)
  • [FileName] QQ进程保护程序.exe – Service/driver-related filename mentioned in config
  • [FileName] 6gkIBfkS+qY=.key – Keylogging data file name (encrypted/decrypted naming)
  • [Registry] 5750b8de793d50a8f9eaa777adbf58d4 – BITS registry configuration data value
  • [FileName] QQ进程保护程序 – Service/entry name associated with installation
  • [Detection] Malware/Win32.RL_Generic.R356012, Trojan/Win.Generic.C4446276, Malware/Gen.Generic.C3228648 – detected malware family names
  • [C2] leifenghackyuankong.e3.luyouxia[.]net – C2 domain used by HiddenGh0st

Read more: https://asec.ahnlab.com/en/57185/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint