1. Home
  2. Software
  3. gh0st RAT

gh0st RAT

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[1][2][3]

ID: S0032
Associated Software: Mydoor, Moudoor
Type: MALWARE
Platforms: Windows, macOS
Version: 3.2
Created: 31 May 2017
Last Modified: 06 February 2024

Associated Software Descriptions

Name Description
Mydoor

[4]
Moudoor

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

gh0st RAT has added a Registry Run key to establish persistence.[3][5]
Enterprise T1059 Command and Scripting Interpreter

gh0st RAT is able to open a remote shell to execute commands.[1][3]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

gh0st RAT can create a new service to establish persistence.[3][5]
Enterprise T1132 .001 Data Encoding: Standard Encoding

gh0st RAT has used Zlib to compress C2 communications data before encrypting it.[5]
Enterprise T1140 Deobfuscate/Decode Files or Information

gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.[5]
Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.[5]
Enterprise T1573 Encrypted Channel

gh0st RAT has encrypted TCP communications to evade detection.[5]
.001 Symmetric Cryptography

gh0st RAT uses RC4 and XOR to encrypt C2 traffic.[3]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

A gh0st RAT variant has used DLL side-loading.[2]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

gh0st RAT is able to wipe event logs.[1][5]
.004 Indicator Removal: File Deletion

gh0st RAT has the capability to to delete files.[1][5]
Enterprise T1105 Ingress Tool Transfer

gh0st RAT can download files to the victim’s machine.[3][5]
Enterprise T1056 .001 Input Capture: Keylogging

gh0st RAT has a keylogger.[6][5]
Enterprise T1112 Modify Registry

gh0st RAT has altered the InstallTime subkey.[5]
Enterprise T1106 Native API

gh0st RAT has used the InterlockedExchange, SeShutdownPrivilege, and ExitWindowsEx Windows API functions.[5]
Enterprise T1095 Non-Application Layer Protocol

gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.[5]
Enterprise T1057 Process Discovery

gh0st RAT has the capability to list processes.[1]
Enterprise T1055 Process Injection

gh0st RAT can inject malicious code into process created by the "Command_Create&Inject" function.[5]
Enterprise T1012 Query Registry

gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.[5]
Enterprise T1113 Screen Capture

gh0st RAT can capture the victim’s screen remotely.[3]
Enterprise T1129 Shared Modules

gh0st RAT can load DLLs into memory.[5]
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

A gh0st RAT variant has used rundll32 for execution.[2]
Enterprise T1082 System Information Discovery

gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.[5]
Enterprise T1569 .002 System Services: Service Execution

gh0st RAT can execute its service if the Service key exists. If the key does not exist, gh0st RAT will create and run the service.[5]

Groups That Use This Software

ID Name References
G0062 TA459

TA459 has used a Gh0st variant known as PCrat/Gh0st.[7]
G0096 APT41

[8]
G0011 PittyTiger

[9][10]
G0001 Axiom

[11][4]
G0027 Threat Group-3390

[12]
G0065 Leviathan

[13]
G0026 APT18

[14]
G0126 Higaisa

[15]
G0138 Andariel

[16]
G1023 APT5

[17]

Campaigns

ID Name Description
C0016 Operation Dust Storm

[18]

References

  1. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  2. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
  3. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  4. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  5. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  6. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
  7. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  8. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  9. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
  1. Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
  2. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  3. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
  4. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  5. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.
  6. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  7. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  8. Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.
  9. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.