Threat Research

Unveiling Gh0stGambit: A Tool for Deploying Gh0st RAT

Esentire

Gh0stGambit is described as an evasive dropper that delivers and executes an encrypted Gh0st RAT payload, with drive-by download delivery masquerading as a Chrome installer and a multi-stage chain involving shellcode, a Donut-based loader, and memory-only execution. The analysis also covers persistence, evasion, credential access, and C2/command capabilities, plus Chinese-language targeting and related indicators. #Gh0stGambit #Gh0stRAT

Keypoints

    <li Gh0stGambit is an evasive dropper used to retrieve and execute an encrypted Gh0st RAT payload.

    <li Infection occurs via drive-by download, with a Chrome installer named ChromeSetup.msi masquerading as legitimate software.

    <li The ChromeSetup.msi contains a legitimate Chrome installer and a malicious loader (WindowsProgram.msi) and drops files under a hidden Windows Defenderr directory.

    <li The dropper decrypts and decompresses the next-stage payload (Gh0stGambit Dropper) and proceeds to establish persistence and defense evasion.

    <li Gh0stGambit uses registry, drive mappings, and L drive associations to conceal activity and achieve startup persistence.

    <li Gh0st RAT capabilities include credential access (Chrome passwords), keylogging, screen capture, remote command execution, rootkit-based concealment, and data exfiltration.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by download of malicious installer masquerading as a legitimate application. “The initial payload arrived via drive-by download when the user searched for Chrome on the internet and attempted to download a Chrome installer named ChromeSetup.msi (MD5: af2debe45edd4a10a07b2afeec81bf87) from chrome-web[.]com (Figure 1).”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Gh0stGambit creates registry entries to ensure Gh0st RAT runs at startup. “Gh0stGambit sets up a new registry entry under “HKEY_CLASSES_ROOT.VT” that defines .VT as a recognized file type. The default value is set to “NNLPS”, which serves as an identifier linking the extension. Another key under “HKEY_CLASSES_ROOTNNLPSshellopencommand” is then configured to specify what action should be taken when a .VT file is opened.”
  • [T1068] Exploitation for Privilege Escalation – Running processes with elevated privileges. “Run the process with elevated privileges.”
  • [T1562.001] Defense Evasion: Hide Artifacts – Rootkit to conceal artifacts. “Gh0st RAT includes an embedded rootkit (MD5: 1e7dccdacced54c5d3515c2d6f5b9f00) that conceals registry keys, processes, files, and directories.”
  • [T1003] Credential Access – Chrome passwords extraction. “Display: Extract Chrome passwords” and “fnGetChromeUserInfo” accesses Chrome data.
  • [T1071.001] Web Protocols – C2 communications over web protocols to retrieve payloads. “Next, it connects to the C2, in our example, at hxxp://pplilv.bond/d4/107.148.73[.]225/reg32 and retrieves an encrypted file…”
  • [T1041] Exfiltration – Data exfiltration and remote command execution. “Data exfiltration through various means, including remote command execution and data collection.”

Indicators of Compromise

  • [File hash] ChromeSetup.msi – af2debe45edd4a10a07b2afeec81bf87, WindowsProgram.msi – 4bf494f15fcc172b98abeb5a02ecffed
  • [Domain] hacker.heikeniubi.buzz, 87df223265.cyou
  • [URL] chrome-web[.]com (malicious Chrome installer page), http://pplilv.bond/d4/107.148.73[.]225/reg32, http://pplilv.bond/d4/107.148.73[.]225/code32
  • [IP] 107.148.73.225
  • [File Name] Phone.exe, One Drive.vt
  • [File Hash] fc6993a5498a7af0eab9899d86e393e5 (shellcode), 778d517a9de9b93f02e92602f1cfcd6c (malicious loader)
  • [DLL] CHROMEUSERINFO.dll – 82408e48f97f6c41b825b97a2e026831

Read more: https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint