Rewterz Threat Alert – A New Gh0st RAT Malware Variant Targets South Korea and Uzbekistan – Active IOCs

Severity

High

Analysis Summary

The notorious Gh0st RAT malware has been identified with a new variant dubbed “SugarGh0st RAT” used in recent cyber campaigns targeting the Ministry of Foreign Affairs in Uzbekistan and South Korean individuals.

Gh0st RAT was first released on the public web by a Chinese group called “C.Rufus Security Team” in March 2008 and is still active to this day in the form of modified versions. A group linked to China started distributing a modified variant of Gh0st RAT called “SugarGh0st RAT”.

“There are several variants of Gh0st RAT in the threat landscape, and it remains a preferred tool for many Chinese-speaking actors, allowing them to conduct surveillance and espionage attacks,” the cybersecurity researchers stated.

According to the researchers, the threat actors use Windows shortcuts laced with JavaScript to drop the malware while distracting their victims using decoy documents. The malware itself is still mostly the same in its code, but it now has new features to evade detection from antivirus software.

Four samples of SugarGh0st were most likely delivered through phishing. They were injected into the targeted systems as archive files embedded with Windows LNK shortcut files. The LNK files have hidden malicious JavaScript which drops a decoy document containing content that is especially targeted for Korean or Uzbek government individuals and the payload upon opening them.

SugarGh0st is an espionage malware featuring multiple tools and a 32-bit dynamic link library (DLL) written in C++. It starts the attack by harvesting system data and then makes a backdoor for full remote access capabilities. Threat actors use SugarGh0st to get information on the compromised system and start, delete, and terminate any running processes. The backdoor also comes with a keylogger, the ability to access the device’s camera, a screenshotter, and many other useful functions.

The most concerning thing in this development is that the newest variant is designed especially to evade previous detection methods, meaning that the threat group made the effort to change the way the core detection would work. SugarGh0st has a different command-and-control (C2) communication protocol so that the network packet headers reserve the first 8 bytes instead of 5 bytes.

Gh0st RAT has targeted many high-profile victims in the past. In September 2008, the employees in the office of the Dalai Lama received many phishing emails and their Microsoft applications crashed without any explanation. Another instance was Microsoft Outlook being opened on its own, having documents attached to an email, and then being sent to various email addresses without any human input.

Impact

• Unauthorized Access
• Sensitive Information Thef

Indicators of Compromise

MD5

• 27ce72f35709ec9898c57f1c4ea7324e
• e0cd08754753bd540bcdf62fa1733bff
• 782b8a96d3f80dd562b538af12233cc3
• e11f6b3f3298ebbb86885559266feb7b
• 996580c90c5efe2a727d22a77b7e69eb
• 8dea867b72374fad43cc301d9af5a24b
• cfe4a2fc19b77dea154c106918dcc1a3
• ecf6bffdc0358525bc2ab7dd7eed6b9e
• 77afbb6a6b85eecaad65d15e066476ec
• 4dac23960a5dc7377d684773a82c26ba

SHA-256

• 8584094f79fce97321ee82ca5da41b6830ecc6a0921bcaddb8dd337827cd7d1a
• 3436135bb3839521e7712882f0f6548aff78db66a1064408c49f820a0b85d980
• c758eed6660786097b63ac6748236b5b6084783703ea7ee2111e8f0bcaa3652e
• 6dff111b6adc9e33bed20eae99bec779f1c29dd55895a71125cfbe3c90950eb2
• 7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505
• ddac61f918ed87b49ef15d05873e7f52b919758aef713145f6a7d538c714fa2e
• f3ea4611c72d57eabf381d5639c3c8d1840cb005ed811f3038410fb2e04978c1
• 9d9a0af09fc9065bacabf1a193cad4386b5e8e5101639e07efa82992b723f3b0
• 38c815729f34aef6af531edf3f0c3f09635686dbe7e5db5cb97eca5b2b5b7712
• 2e543adb701afd40affcb4c51bd8246398b0210bee641ca9aeffcca893c9e4a5

SHA-1

• 2757b9108308be6ce8ea00fbf629224cbafb2a5c
• 27c089afffd705a6aa2c405c253273f6fa64e8b5
• 55078ff881ca0e3e1e07a271671fb8f8f8d71f87
• 4f622f871ad7d0d3b359d2554b4a9bb853459f16
• c6c65bf93081e4af6dcf24cb6be6cbd533eaa415
• 15f433e7c5618551b3488bdd347042277ca22f44
• 3a4eb198f5a671ef38a646485f7390e1d5c3edaa
• 4fb249a7fbffeb32a730e2b491b1c5c42a131d73
• d087874940617cab3254f09389806d03a1336e31
• 5f883ab9efbee14a8c7645e32137c81689957067

Domain Name

• account.drive-google-com.tk
• login.drive-google-com.tk

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network. 
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.