The Gh0st malware is a widely used remote administration tool (RAT) that originated in China in the early 2000s. It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet. Musical Chairs is a multi-year campaign which recently deployed a new variant Gh0st we’ve named “Piano Gh0st.”
Our evidence suggests the actors behind these attacks have been operating for over five years and have maintained a single command and control server for almost two. They use compromised e-mail accounts to distribute their malware widely and their targeting appears opportunistic rather than specific.
The overall motivation of this campaign is unclear at this time. Gh0st is very versatile as it allows an adversary to take complete control over the infected system including installing additional malware.
Tracking the Gh0st
Using Palo Alto Networks AutoFocus we have identified Gh0st variants associated with Musical Chairs leading back to mid 2013. The source code and building tools for Gh0st are available freely on the web; anyone who is so inclined can build their own version of the malware. The way researchers differentiate between most variants is based on their “magic tag.”
Gh0st uses a custom TCP protocol to connect to a command and control (C2) server and retrieve instructions from the attacker. The malware identifies itself to the server by sending a string of characters (the magic tag), which the server repeats back to confirm the connection (See Figure 1.)
In the original version this string was “Gh0st” but in subsequent versions many different strings are used. These strings, along with the actual location of the command and control server (domain and/or IP address) allow us to associate various Gh0st samples with a single attacker or group. In 2011, Norman released a paper that showed many clusters of Gh0st samples that were connected based on these tags.
Figure 1. Gh0st “magic tag” value sent over custom TCP protocol
Using these tags in the network traffic, the command and control infrastructure and other characteristics of the attacks, we have grouped together a series of attacks into the one campaign, named Musical Chairs.
The functionality of Gh0stRat (3.6) is well documented by multiple sources and is summarized below:
- Remote terminal access
- Remote audio and video access
- File management
- Remote file download and execution
- Process explorer and additional system enumeration capabilities
- GUI interaction (remote control)
- Self Update
- Reset of SSDT to remove existing hooks
Spreading the Gh0st
The Gh0st variants used in the Musical Chairs campaign are distributed using phishing e-mails. The threat actors behind the attacks use a “shotgun” approach, blasting e-mails to as many recipients as possible in hopes of tricking a small percentage of targets into opening the attack. The attackers generally do not rely upon any vulnerability exploitation, and instead rely on the user to open the attached executable to compromise their system. Additionally, the phishing messages are sent from US-based residential ISP e-mail addresses. The accounts themselves appear to be legitimate, and are likely also compromised by this actor. In many cases the phishing e-mails are sent indiscriminately to all e-mail addresses in an infected user’s address book, including “no-reply” addresses a human operator would know to ignore.
While Gh0st itself does not have built in e-mailing components, it is also possible that an additional payload is responsible for the propagation via e-mail.
The following list contains known filenames of attachments used in the delivery stage of the Musical Chairs campaign:
- “Pleasantly Surprised.exe”
- “Beautiful Girls.exe”
- “Sexy Girls.exe”
- “gift card.exe”
- “amazon gift card.pdf.exe”
The subject of the e-mails carrying these files typically matches the filename itself and does not contain any sophisticated attempts at social engineering. The attacks detected thus far by Palo Alto Networks WildFire have been exclusively in the United States and do not appear to target any particular industry.
The infrastructure used in Musical Chairs stands out primarily due to its longevity and use of multiple Gh0st command servers on the same host. At the center of the infrastructure for the last two years is a Windows 2003 server using the IP address 220.127.116.11. The server uses a US-based IP address, but displays a Chinese language interface for Remote Desktop connections.
Figure 2. Chinese language Windows Server 2003 login banner on Gh0st C2
Thus far Unit 42 has identified 32 different Gh0st samples connecting to this server dating back to July of 2013. The Gh0st C2 software operates on Windows and allows the attacker to specify which port it should listen on for connections from infected systems. The attacker may host multiple Gh0st C2s on this server at one time, or may change the hosting TCP port very frequently. The 32 samples we have identified connect to 19 different TCP ports.
|First Seen||Gh0st TCP Port|
While 18.104.22.168 is the longest standing command and control server, it is not the only server used by Musical Chairs. The malware typically finds this server using a domain that is registered by the attacker and the registration information used by these C2 domains has allowed us to identify additional infrastructure used in these attacks.
Figure 3. Diagram of relationships between Musical Chairs C2 domains and related infrastructure
These many related domains put the approximate start date of this campaign in 2010. The earliest versions of the attacks we’ve found are still visible in e-mail groups and public Facebook postings. Figure 4 shows an e-mail with the subject “my girlfriend’s self-view video” that contains a link to an executable hosted on nvzm.info, one of the domains associated with the Musical Chairs infrastructure.
Figure 4. Screenshot of e-mail linking to nvzm[.]info using a “self-view video” theme.
The image below shows a Facebook post from 2012 with a similar theme and a different link to a URL that is also part of the same infrastructure map.
Figure 5. Screenshot of Facebook posting including a different “video” theme.
Finally, we located a user who posted to the Gmail Help forum in 2010 requesting assistance with ridding their system of malware. He states that all of his contacts received one of the “self-view” phishing e-mails after his system was compromised.
Figure 6. Screenshot of request on Gmail help forums related to “self-view” video e-mails.
While we have not been able to identify the specific malware used to distribute these spam messages, the infrastructure and the themes used in the e-mails connect them directly back to Musical Chairs happening this year.
In July, Musical Chairs began deploying a new variant of Gh0st, which we’ve named “Piano Gh0st.” This variant uses a new wrapper file to hide the Gh0st payload. The files are delivered as a self-extracting executable (SFW) that acts as the dropper. It is responsible for extracting its payload to “c:\microsoft\lib\ke\Piano.dll” and executes the “mystart” function within the DLL’s export address table (EAT) using rundll32.exe.
Figure 7. Screenshot of calls observed by Palo Alto Wildfire from within the AutoFocus interface.
The “Piano.dll” file itself has very little functionality other than decrypting, loading and running an embedded DLL. It decrypts the embedded DLL using the Blowfish symmetric cipher with a simple key consisting of the character "y". “Piano.dll” proceeds to load the newly decrypted DLL manually and calls the exported function "my start". The decrypted DLL has the following attributes:
Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size: 148008 bytes
Compiled: 2015-07-14 02:11:32
This embedded DLL is the actor Gh0stRat Trojan, specifically version 3.6. The following debugging path is found within the DLL, which suggests the individual who compiled this DLL has a Chinese language pack (GB2312 specifically) installed:
C:\Documents and Settings\Administrator\桌面\GetRawInputData_dlll键盘记录版_win7bug改_网络验证_Mutext_LSPlayer_20150708\gh0st3.6\Server\svchost\Release\
The Trojan maintaings persistence on the infected system by creating an entry in the registry at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the key “nvidiake” and value “c:\microsoft\lib\ke\vv.js”, as seen in Figure 8.
Figure 8. AutoFocus view of registry key modifications made by Piano Gh0st to maintain persistence through system reboots
new ActiveXObject('Wscript.Shell').Run('cmd /c c:\\microsoft\\lib\\ke\\vvv.bat',0);
The ‘vvv.bat’ file is a batch file that executes the Piano.dll payload in the same way as the initial dropper, using “rundll32.exe” to call the “mystart” exported function, as seen in the following:
rundll32.exe c:\microsoft\lib\ke\Piano.dll mystart
After setting up the registry keys for persistence, the Gh0stRat sample begins communicating with its command and control server using a custom network protocol. The magic tag used by this version of Gh0st is “clarkclar1” as seen in Figure 9. This variant also communicated with a command and control server using the domain www.meitanjiaoyiwang[.]com, which is hosted by 22.214.171.124 on tcp port 200.
Figure 9. Screenshot of Piano Gh0st variant using the “clarkclar1” magic tag.
Detection and Prevention
Palo Alto Networks WildFire detected the Gh0st malware, including the Piano Gh0st variant, as malicious based on the behavior the attack files exhibit on an infected system.
Additionally, we have deployed threat prevention signatures to detect Piano Gh0st alongside our previously deployed signatures for earlier Gh0st variants. AutoFocus users can find more information about this threat using the MusicalChairs tag.
The following indicators identify attacks using Piano Gh0st and the Musical Chairs campaign.
|filename||amazon gift card.pdf.exe|