A recent cyber security report has uncovered a cyber-espionage campaign targeting Chinese Windows users, involving the collaboration between Gh0stGambit and Gh0st RAT in a sophisticated drive-by download scheme.

Description

The attack starts with a deceptive installer package masquerading as legitimate software on a fake website (“chrome-web[.]com”), tricking users into downloading malicious software disguised as Google Chrome [4]. The installer contains both a legitimate Chrome setup executable and a harmful installer (“WindowsProgram.msi”) that loads Gh0stGambit and Gh0st RAT [9]. Once executed, Gh0stGambit deploys Gh0st RAT [4] [9], providing threat actors with remote access. The Trojan has capabilities such as process killing [9], file wiping [9], audio/screenshot grabbing [9], remote command execution [3] [6] [7] [9], keylogging [1] [6] [7] [9], and data theft [3] [6] [9], making it a versatile tool for cyber espionage [9]. This silent threat requires no user interaction beyond visiting the compromised site [4], making it difficult to detect. Symantec has observed an increase in phishing campaigns using large language models to deliver multiple payloads [3], including RATs like NetSupport and LokiBot [3]. The attack involves multiple stages [8], with Gh0stGambit checking for anti-malware software before connecting to a command and control server to download Gh0st RAT in encrypted form [8], disguised as a Registry Workshop [8]. The malware is disguised as a Google Chrome installer on a fake website (“chrome-web[. [1] [2]]com”), with the malicious WindowsProgram.msi installer launching shellcode to load Gh0stGambit [2]. The dropper checks for security software before connecting to a C2 server to retrieve Gh0st RAT [2], along with capabilities to drop Mimikatz [2], enable RDP [1] [2] [8], access Tencent QQ account identifiers [1] [2] [8], and erase data from various browsers [1] [2] [8]. To mitigate the risk [4] [6], users should avoid suspicious websites [4], keep software updated [4], implement multi-layered security defenses [4], and educate users about cyber threats [4]. Preventative measures include continuous security training for users and awareness programs to recognize such schemes [9].

Conclusion

The new cyber threat targeting Chinese Windows users [4] [5], involving Gh0st RAT distributed through a deceptive dropper called Gh0stGambit on a fake website “chrome-web[. [5]]com”, highlights the importance of ongoing cybersecurity training and vigilance against threats like Gh0st RAT [5]. Stay informed and practice caution online to protect against evolving cyber threats [4].

References

[1] https://thehackernews.com/2024/07/gh0st-rat-trojan-targets-chinese.html
[2] https://www.redpacketsecurity.com/gh0st-rat-trojan-targets-chinese-windows-users-via-fake-chrome-site/
[3] https://indoguardonline.com/2024/07/29/the-gh0st-rat-trojan-targets-chinese-windows-users-via-a-spoofed-chrome-site/
[4] https://www.krofeksecurity.com/how-to-protect-against-gh0st-rat-trojan-targeting-chinese-windows-users/
[5] https://blog.tecnetone.com/sitio-falso-de-chrome-distribuye-gh0st-rat-a-usuarios-de-windows
[6] https://www.portalcascais.pt/o-malware-gh0st-rat-ataca-os-usuarios-disfarcando-se-de-um-falso-instalador-do-chrome/
[7] https://www.dailysecu.com/news/articleView.html?idxno=158123
[8] https://gridinsoft.com/blogs/ghost-rat-attacks-chinese-users/
[9] https://www.timesofai.com/news/gh0st-rat-trojan-strikes-again-fake-chrome-site-targets-chinese-users/