HiddenGh0st Malware Attacking MS-SQL Servers – ASEC BLOG

Gh0st RAT is a remote control malware developed by the C. Rufus Security Team from China. Due to its source code being publicly available, malware developers use it as a reference as they continue developing numerous variants that are still actively used in attacks. Although the source code is public, Gh0st RAT is mainly used by threat actors based in China. Cases of Gh0stCringe RAT, a variant of Gh0st RAT, being distributed targeting database servers (MS-SQL, MySQL servers) were disclosed in a previous blog post. [1]

Numerous variants of Gh0st RAT are often used in attacks targeting MS-SQL servers. AhnLab Security Emergency response Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and publishes quarterly statistics through the ASEC Reports. The statistics categorize malware according to major categories such as backdoor, Trojan, HackTool, CoinMiner, etc., and they also cover the specific malware that are used in attacks within each category. Based on statistics from the second quarter of 2023, Gh0st RAT variants accounted for 29.0% of attack cases, making them the second most common, just behind Remcos RAT. [2]

Figure 1. Statistics on backdoors used in attacks against MS-SQL servers (Q2 2023)

ASEC has recently confirmed the distribution of a Gh0st RAT variant, which installs the Hidden rootkit, targeting poorly managed MS-SQL servers. Hidden, an open-source rootkit publicly accessible on GitHub, offers features that include hiding files, registry entries, and even itself, as well as providing the ability to protect processes. [3] Threat actors can potentially leverage these features to hide the presence of malware infections from users or hinder the removal of malware.

In this blog, the Gh0st RAT variant that installs the Hidden rootkit will be classified as HiddenGh0st. HiddenGh0st has been identified since at least 2022 and is still being distributed. Given the additional features added by the threat actor, including the ability to steal information from QQ Messenger, a platform predominantly utilized by Chinese users, it is suspected that Chinese users are the main target of these attacks.

Figure 2. HiddenGh0st being created by an MS-SQL server process

1. Analysis of HiddenGh0st

1.1. Initial Configuration

HiddenGh0st is distributed in a packed state to evade file detection. After decrypting the actual PE file encrypted in the DATA section, it is executed in the memory. At the same time, the configuration data is also transmitted in the size of 0x848.

Figure 3. Configuration data that is transmitted when the decrypted shellcode is executed

The transmitted configuration data is as follows. It not only includes the C&C URL, but it also supports a variety of configurations, such as the installation method, the name of the installation path and file, and whether to activate the rootkit.

Offset Data Description
0x0000 “leifenghackyuankong.e3.luyouxia[.]net” C&C server address
0x012C NULL Not used
0x0258 0x3960 (14688) C&C server port number
0x025C 0x0EE0 Not used
0x0260 “6gkIBfkS+qY=” Keylogging file name (“Default” upon being decrypted)
0x0292 “tdC2pg==” Version information (“1.0” upon being decrypted)
0x02b2 “QQ进程保护程序” Service name (Service mode)
0x0316 “TX QQ” Service display name (Service mode)
0x0396 SERVICE_DESCRIPTION Service configuration data (Service mode)
0x0496 “5750b8de793d50a8f9eaa777adbf58d4” BITS registry configuration data
0x0598 0x0000 External IP lookup status
0x059C 0x0001 Installation mode #1: Service
0x05A0 0x0000 Installation mode #2: Startup Folder
0x05A4 0x0000 without Rootkit
0x05A8 “%SystemRoot%System32” Installation path name (Service mode)
0x060C “QQ进程保护程序.exe” Installation file name
0x063E 0x0008 Size of appended dummy data
0x0640 0x0007 Property assigned to malware (Service mode)
0x0648 NULL Download URL
Table 1. Initial configuration data

Many of the configuration data include options that are deactivated, and one notable example is the URL used by the downloader thread. If the threat actor had set a download URL, it is likely that the download of additional malware from an external source would have also occurred upon executing the HiddenGh0st.

Among the deactivated configuration data, there is also an option to activate a feature that retrieves the infected system’s public IP address. If this feature is enabled, the public IP address from http://www.taobao.com/help/getip.php will be obtained and included in the data sent to the C&C server.

1.2. Installation Process

1.2.1. Installation Mode #1 – Service

If the installation mode specified in the configuration data is set to “Service”, the installation time of the current malware is first saved in the MarkTime value of the key in HKLMSYSTEMSelect. Then, HiddenGh0st references the configuration data to copy the malware and register it as a service. By specifying the “-auto” argument during service registration, the malware is subsequently launched with the same “-auto” argument while operating as a service.

Figure 4. MarkTime value where the installation time was saved

Additionally, the configuration data also includes the size of the dummy data that will be appended. When the configuration value is 0x0008, a 0x00800000-sized dummy data is appended to the end of the malware. Once the process reaches this point, the service is executed and the following command is used to delete the original file. If HiddenGh0st operates as a service, it executes itself again with the argument “-acsi” and then the main routine proceeds.

> C:Windowssystem32cmd.exe /c ping -n 2 > nul && del [Malware path] > nul
1.2.2. Installation Mode #2 – Startup Folder

If the installation method is set to “Startup Folder” in the configuration data that is transmitted when the malware is executed, HiddenGh0st maintains persistence by copying itself to the startup folder instead of registering as a service. First, saving the installation time in the MarkTime value of the HKLMSYSTEMSelect key is the same as when the installation mode is service. Afterward, HiddenGh0st copies the currently running malware to the startup folder. A notable characteristic of this process is the use of the DefineDosDeviceA() API to create a symbolic link for the target path of the copy and its use in the copy process. The string “.agmkis2” is used as the name of the symbolic link.

Figure 5. File being copied using the symbolic link

The copied malware is then given the hidden attribute and the dummy data is added as per the configuration. Once this process is complete, the copied malware is executed, and the original malware deletes itself.

1.3. Transmission of Infected System Information

HiddenGh0st, much like the typical Gh0st RAT, collects and transmits basic information about the infected system to the C&C server after communication has been established.

Offset Collected Data
0x0000 0x66
0x0004 Windows version information
0x00A0 CPU speed
0x00A4 Number of CPUs
0x00A8 Public IP address
0x00AC Private IP address
0x00B0 Host name of the infected system
0x01B0 Number of webcams
0x01B4 Internet connection delay time
0x01B8 Network interface speed
0x01BC Memory capacity
0x01C0 Local disk capacity
0x01C4 “Default” string (decrypted from the configuration data) or the “5750b8de793d50a8f9eaa777adbf58d4” value of the BITS registry
0x01F6 System boot time
0x0216 “1.0” (version)
0x0236 List of installed security products
0x0268 Wow64 availability
0x026C Malware installation time (MarkTime)
0x029E Logged in QQ Messenger number
0x03A0 Whether 3 minutes has passed since the last key input
0x03A4 Internet connection status (MODEM, LAN, PROXY)
Table 2. List of information transmitted to the C&C server

The information about installed security products is obtained by checking if the names of currently running processes contain any of the following keywords.

“360tray.exe”, “360sd.exe”, “kxetray.exe”, “KSafeTray.exe”, “QQPCRTP.exe” ,”HipsTray.exe” ,”BaiduSd.exe” ,”baiduSafeTray.exe” ,”KvMonXP.exe” ,”RavMonD.exe” ,”QUHLPSVC.EXE” ,”QuickHeal” ,”mssecess.exe” ,”cfp.exe”, “SPIDer.exe”, “DR.WEB”, “acs.exe”, “Outpost”, “V3Svc.exe” ,”AYAgent.aye” ,”avgwdsvc.exe” ,”AVG” ,”f-secure.exe” ,”F-Secure” ,”avp.exe” ,”Mcshield.exe”, “NOD32”, “knsdtray.exe”, “TMBMSRV.exe”, “avcenter.exe”, “ashDisp.exe” ,”rtvscan.exe” ,”remupd.exe” ,”vsserv.exe”, “BitDefender”, “PSafeSysTray.exe”, “ad-watch.exe”, “K7TSecurity.exe”, “UnThreat.exe”, “UnThreat”

Among the data transmitted to the C&C server by HiddenGh0st, the QQ number of the currently running QQ Messenger is also included. Since QQ Messenger is primarily used by users who can communicate in Chinese, it is speculated that the threat actor’s main targets are Chinese-speaking users.

Figure 6. Routine to obtain the QQ number from QQ messenger

HiddenGh0st compresses the 0x3BC size data obtained in this way and then prepends 0x0F size data to it. The prepended data includes information such as the signature string “hx”, the size of the data to be sent, and the original data’s size. The original Gh0st RAT used a signature string called “Gh0st” just like its name to communicate with the C&C server. Nonetheless, due to the public availability of its source code, Gh0st RAT has spawned numerous variants, and it is worth noting that in the past, Gh0stCringe RAT also employed “xy” as its signature string.

Offset Size Data Description
0x00 0x03 “hx “ Signature string
0x03 0x04 0x000000AB Size of the data to be sent (0x9C + 0x0F that is the size of the compressed file)
0x07 0x04 0x000003BC Size of the original data
0x0B 0x04 0x00000002 Hard-coded
Table 3. Data that is transmitted before encryption

The data ultimately goes through an encryption process before being sent to the C&C server.

Figure 7. Packet encryption routine
Figure 8. Communication packet with the C&C server

1.4. Performing Commands

The threat actor based HiddenGh0st on the original Gh0st RAT when developing it, so it supports basic commands similar to those in the original Gh0st RAT, such as FileManager, ScreenManager, KeyboardManager, SystemManager, ShellManager, etc. Of course, HiddenGh0st supports many more commands. Below is a list of commands that can be received from the C&C server for execution. Only the main categories have been categorized here, so it should be known that each command is actually responsible for many more features. Commands that operate as threads and continuously send data to the C&C server use port 80 of the C&C server.

Command Feature
0x00 Standby
0x01 [FileManager] File management: Looks up file, uploads, downloads, deletes, renames, executes, decompresses via WinRAR, etc.
0x08 Chat
0x0A Service management: Looks up service, starts, deletes, changes settings, etc.
0x0B Process check: Checks whether it is currently running
0x0C Windows check: Checks whether it is currently running
0x10 [ScreenManager] Captures screen, exfiltrates and changes clipboard contents
0x1C Executes file
0x1D Terminates explorer (explorer.exe)
0x1E Deletes Internet Explorer cache
0x1F Port forwards
0x2D [KeyboardManager] Keylogger
0x33 Outputs audio
0x34 Exfiltrates QQ Messenger information
0x36 [SystemManager] System management: Collects the list of processes/Windows supported by Gh0st RAT, steals Dialup account information, and has features to terminate processes. Furthermore, executes commands, controls threads, collects/modifies host files, etc.
0x48 Message popup
0x49 Sets the HKLMSYSTEMCurrentControlSetServicesBITS / 5750b8de793d50a8f9eaa777adbf58d4 value
0x4A [ShellManager] Remote shell: Remote shell feature supported by Gh0st RAT. Furthermore, steals account credentials via Mimikatz
0x4B Shuts down computer
0x4C Restarts
0x4D Uninstalls
0x4E Event cleanup
0x52 Etc: Opens/Closes CD-ROM, hides/reveals taskbar, switches left and right mouse buttons, etc.
0x60 Download and execute files from an external source
0x62 Copies malware to the startup folder
0x63 Sets resolution
0x64 Creates and executes file (HIDE)
0x65 Creates and executes file (SHOW)
0x66 Plugin installation: Downloads and executes the plugin.dll file
0x67 URL connection: Connects to a specific website via Internet Explorer (HIDE)
0x68 URL connection: Connects to a specific website via Internet Explorer (SHOW)
0x69 Sets the HKLMSYSTEMSetup/Host value
0x6A Standby
0x6D Remote control-related: Activates/deactivates remote desktop, changes remote desktop port number, activates guest account, activates Internet sharing, configures/deletes user account, etc.
0x82 Registry management
0x8A Speculated as plugin-related: Looks up file, downloads/uploads, loads in the memory and executes
Table 4. List of commands supported by HiddenGh0st

Due to the wide range of features provided by HiddenGh0st, it offers even more features on top of the features supported by the original Gh0st RAT and the typical RAT malware.

At the initial execution stage, there were two encoded strings received as arguments from the configuration data. One is the string “1.0”, which is presumed to be the version information of the malware, and the other is the string “Default”. The latter is presumed to be used as an identifier for the malware since it is sent to the C&C server along with information about the infected system. If the threat actor activates the keylogger command, the collected keylogging data is saved in the %SystemDirectory% path, and the file name used is the string “6gkIBfkS+qY=.key”, which is the “Default” string before being decrypted.

Figure 9. Location where the keylogging data is saved

HiddenGh0st has a feature that installs Mimikatz, allowing it to steal account credentials from infected systems. In addition to the remote shell, the ShellManager class, responsible for the remote shell feature in the original Gh0st RAT, includes a command that installs Mimikatz under the name “GetMP.exe” and executes the following command. The malware transmits the account credentials collected from infected systems through processes like these to the C&C server.

> GetMP privilege::debug sekurlsa::logonpasswords exitrn
Figure 10. Execution routine of Mimikatz

Among the newly added commands, there are many features related to remote control using RDP. These features can activate remote desktop or Internet sharing, change the port number for the remote desktop, and even use a command like the one below to enable guest accounts and register them in the administrator group.

> net user guest /active:yes && net user guest 123456 && net localgroup administrators guest /add
Figure 11. Routine to activate remote desktop and change the port number

In addition, it also includes features that were supported by past RAT malware, such as commands to delete the cache of Internet Explorer, open or close the CD-ROM, hide the taskbar, and swap the left and right buttons of the mouse.

> cmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Although the specific purpose has not been confirmed, a feature exists among the commands that sets the registry key value like the following. If the value “5750b8de793d50a8f9eaa777adbf58d4” is set through the threat actor’s command, it will be included with the basic information that HiddenGh0st transmits to the C&C server.

  • HKLMSYSTEMCurrentControlSetServicesBITS / 5750b8de793d50a8f9eaa777adbf58d4
  • HKLMSYSTEMSetup / Host
Figure 12. Registry key where the data received from the threat actor is written

2. Analysis of HiddenGh0st’s Rootkit

Hidden is an open-source rootkit driver publicly available on GitHub. It utilizes mini-filter drivers and kernel callback functions provided by the latest operating systems to hide files and registries, as well as protect processes. Due to these features, if used for malicious purposes, it can be employed to hide malware and prevent the termination of malicious processes. The CoinMiner known as PurpleFox also customized Hidden and utilized it in its attacks to hide the malware and obstruct removal efforts. [4]

HiddenGh0st installs the internally embedded Hidden rootkit during the execution process and uses it for the purpose of hiding and protecting the malware that acts as a backdoor. In this section, we will first analyze the basic features of the Hidden rootkit before outlining the process through which HiddenGh0st utilizes Hidden.

2.1. Analysis of Hidden Rootkit

2.1.1. Basic Operation

Hidden first reads the Config registered in the installation registry. These registry values are the configuration data automatically loaded and applied when the rootkit driver is loaded. For example, the following registry values were generated to transmit 4 commands.

Figure 13. Configuration data containing commands

After reading the initial configuration data, the initialization process of the process monitor, mini-filter, registry filter, and so on begins. Once each initialization process is completed, its protection and hiding features are performed based on the read configuration data. Finally, Stealth Mode, which is responsible for hiding the driver itself, can be initiated by referencing the hide settings, specifically the “Hid_StealthMode” value that can be set in the above registry. Stealth Mode hides the files and registry keys of Hidden, making it impossible to stop the corresponding services. Instead, a tool called HiddenCLI.exe can be used to deliver commands to deactivate and restore the driver.

Registry Feature
Hid_State Activates driver
Hid_StealthMode Self-stealth mode
Hid_HideFsDirs Hides directory
Hid_HideFsFiles Hides file
Hid_HideRegKeys Hides registry key
Hid_HideRegValues Hides registry value
Hid_IgnoredImages Specifies exception process
Hid_ProtectedImages Specifies protection process
Hid_HideImages Hides process
Table 5. Registry commands referenced by Hidden

Additionally, HiddenCLI.exe uses the following IOCTL when transmitting commands to the Hidden driver.

IOCTL Number Feature
HID_IOCTL_SET_DRIVER_STATE 0x800 Sets driver status (Activate/Deactivate)
HID_IOCTL_GET_DRIVER_STATE 0x801 Returns current driver status
HID_IOCTL_SET_STEALTH_MODE 0x802 Sets stealth mode
HID_IOCTL_ADD_HIDDEN_OBJECT 0x83C Adds stealth target
HID_IOCTL_REMOVE_HIDDEN_OBJECT 0x83D Removes stealth target
HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECT 0x83E Removes all stealth targets
HID_IOCTL_ADD_OBJECT 0x846 Adds exception/protection process
HID_IOCTL_GET_OBJECT_STATE 0x847 Returns exception/protection process status
HID_IOCTL_SET_OBJECT_STATE 0x848 Sets exception/protection process status
HID_IOCTL_REMOVE_OBJECT 0x849 Removes exception/protection process
HID_IOCTL_REMOVE_ALL_OBJECT 0x84A Removes all exception/protection processes
Table 6. List of IOCTL numbers used by Hidden to transmit commands
2.1.2. Hiding Files

Hidden utilizes a file system mini-filter driver to hide files. File system filter drivers are kernel-mode components provided by Windows that allow monitoring and modification of file system requests such as opening, reading, and modifying files and directories. Mini-filter drivers are models that can control file systems using the Windows filter manager. As mentioned above, this allows file-related activities to be monitored and controlled without using kernel mode hooking techniques.

In Hidden, the monitored I/O operations include IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL. IRP_MJ_CREATE is triggered when a handle is opened for a file or device object, and Hidden registers a pre-operation callback for this request. IRP_MJ_DIRECTORY_CONTROL is triggered when a directory is looked up, and Hidden registers both the pre-operation and post-operation callbacks for this request.

When monitoring IRP_MJ_CREATE, if the name of the file or directory targeted for handle opening matches an entry in the stealth target list, Hidden blocks access to them by returning STATUS_NO_SUCH_FILE. In the case of directory lookups, when monitoring IRP_MJ_DIRECTORY_CONTROL, Hidden removes the stealth target files and directories from the information obtained as a result of the request if the request matches an entry in the stealth list, effectively rendering them imperceptible to the user.

Figure 14. STATUS_NO_SUCH_FILE being returned for a stealth target

The filter manager loads each mini-filter driver at a unique altitude when registering them. Mini-filter drivers cannot be loaded with duplicate values, and Microsoft manages these altitudes for driver files. Additionally, Hidden is not an officially signed and registered driver, but in open-source, it uses 370030 as its altitude. (This is the same value as the altitude of Microsoft’s example mini-filter driver called passThrough.sys)

Figure 15. Altitude that can be seen in the Hidden.inf file
2.1.3. Protecting and Hiding Processes

Hidden provides a process protection feature and utilizes the ObRegisterCallbacks() function for these operations. This function registers callback routines that receive notifications about specific pre- and post-operations related to process and thread objects. Therefore, callback routines for actions such as the creation and duplication of handles for each object are registered, providing control by calling the registered callback routine first whenever a relevant operation occurs. The ObRegisterCallbacks() function, like mini-filter drivers, also requires an altitude value and designating it as 1000 is a characteristic of this function.

When looking at the OB_OPERATION_REGISTRATION structure specified during the ObRegisterCallbacks() function call, the registration of callback functions (ProcessPreCallback, ThreadPreCallback) for pre-operations related to handle creation and duplication for processes and threads (OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE) can be observed. As shown below, this callback function modifies the access permissions that were set when obtaining the handle for the protection target process to the minimum permission level. This modification makes it so that actions such as memory reading/writing and process termination cannot be performed.

Figure 16. Routine to change the permission

Additionally, commands supported by Hidden include a feature to exclude specific designated processes from being hidden, and it maintains a separate process table to manage these exception processes. This table uses the PsSetCreateProcessNotifyRoutineEx() function to monitor the creation and termination of processes.

While not included in the rootkit used by HiddenGh0st, the source code does support process hiding functionality using Direct Kernel Object Manipulation (DKOM). The Windows kernel uses a structure called ‘EPROCESS’ to manage processes. EPROCESS is a doubly linked list structure where different processes are connected to each other. The rootkit receives the PID of the target process that will be hidden as an argument and accesses the EPROCESS of that process. It then checks the processes linked to Flink and Blink. Next, it links the processes that are connected before and after itself. Afterward, it ensures that its own Flink and Blink are pointing to itself, effectively excluding it from the doubly linked list of EPROCESS.

Figure 17. Process hiding feature supported by the Hidden source code
2.1.4. Hiding Registries

Hidden provides a registry key and value hiding feature and utilizes the CmRegisterCallbackEx() function for these operations. This function registers registry callback routines, and when registry-related operations occur, the registered callback routines are called first, providing control in this manner. The CmRegisterCallbackEx() function, like mini-filter drivers, also requires an altitude value. In Hidden, an arbitrary value of 320000 is used.

Hidden monitors the following 10 registry operations within its callback functions. In each of these functions, it checks whether the registry keys and values targeted by each operation are protected by the stealth command and whether the caller is an exempt process. Depending on these conditions, it may return values such as STATUS_ACCESS_DENIED or STATUS_NOT_FOUND, causing errors to occur upon performing lookups or making modifications impossible.

Figure 18. List of registry operations targeted for monitoring

2.2. Hidden Rootkit of HiddenGh0st

HiddenGh0st creates the rootkit file contained in the DATA section under the path “%SystemDirectory%driversQAssist.sys”. Depending on whether it’s an x86 or x64 architecture, it installs the respective rootkit. Afterward, it registers the created rootkit as the QAssist service, and the driver is loaded using the NtLoadDriver() function.

Figure 19. Routine to set the altitude to 370030

The Hidden rootkit created by HiddenGh0st differs from the original source code in two key ways. The first difference is that the routine responsible for reading and configuring “Hid_StealthMode” is modified, so even if this value is not set, the rootkit activates the hiding feature by default when the driver is loaded. The second difference is that the “Hid_HideImages” setting, which is responsible for hiding processes, is deactivated. Additionally, this matches the Hidden binary uploaded to GitHub, but this is because the process hiding feature was added after the binary compiled by the developer was uploaded.

The data set by HiddenGh0st is IgnoredImages, and since it operates as a service, it designates the service process as an exempt process.

Figure 20. Registered QAssist rootkit service

The initial configuration includes only Hid_IgnoredImages, but the IOCTL command is later used to designate the stealth and exception target. First, the HiddenGh0st malware file and the HiddenGh0st service registered in the registry are added as targets to hide. Then, the HiddenGh0st process is added to the list of exception processes along with the “lsass.exe”, “lsm.exe”, and “audiodg.exe” system processes.

Figure 21. Command to add the LSASS process to the list of exception processes.

3. Conclusion

Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Admins must also use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.

V3 should be updated to the latest version so that malware infection can be prevented. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.

File Detection
– Malware/Win32.RL_Generic.R356012 (2020.11.22.01)
– Trojan/Win.Generic.C4446276 (2021.04.30.03)
– Malware/Gen.Generic.C3228648 (2019.05.09.04)

Behavior Detection
– Malware/MDP.Behavior.M29
– DefenseEvasion/MDP.Event.M1423


– 69cafef1e25734dea3ade462fead3cc9: HiddenGh0st
– 0d92b5f7a0f338472d59c5f2208475a3: Hidden x86 Rootkit (QAssist.sys)
– 4e34c068e764ad0ff0cb58bc4f143197: Hidden x64 Rootkit (QAssist.sys)

– leifenghackyuankong.e3.luyouxia[.]net:14688

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/57185/