U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Musical Chairs: Multi-Year Campaign relying on the Gh0st RAT

Security experts at Paloalto Networks have uncovered a multiyear espionage campaign dubbed Musical Chairs Involving New Variant of Gh0st RAT Malware. The Gh0st RAT malware is a popular remote administration tool (RAT) created in China in the early 2000s that was used in a number of cyber espionage operations. Targeted espionage operations on Tibetan activists, including the Operation Night Dragon and the GhostNet attacks, […]

Musical Chairs: Multi-Year Campaign relying on the Gh0st RAT

Security experts at Paloalto Networks have uncovered a multiyear espionage campaign dubbed Musical Chairs Involving New Variant of Gh0st RAT Malware.

The Gh0st RAT malware is a popular remote administration tool (RAT) created in China in the early 2000s that was used in a number of cyber espionage operations. Targeted espionage operations on Tibetan activists, including the Operation Night Dragon and the GhostNet attacks, relied on the Ghost RAT to compromise the victims’ machines.

The source code of the Gh0st RAT malware is available on the Internet for free, this means that bad actors can customize and use it.

The threat actor behind the Musical Chairs recently deployed a new variant Gh0st RAT malware dubbed by the expert the “Piano Gh0st.” The researchers at Paloalto speculate that the actors behind these campaigns have been operating for over five years and used a single command and control server for almost two.

“Our evidence suggests the actors behind these attacks have been operating for over five years and have maintained a single command and control server for almost two. They use compromised e-mail accounts to distribute their malware widely and their targeting appears opportunistic rather than specific.” states a report published by Paloalto.

The infrastructure used in Musical Chairs stands out due to its longevity, attackers used the same machine to host multiple Gh0st RAT C&C servers.

“At the center of the infrastructure for the last two years is a Windows 2003 server using the IP address 98.126.67.114.  The server uses a US-based IP address, but displays a Chinese language interface for Remote Desktop connections.”

The researchers differentiate the different variants of the Gh0st RAT malware by analyzing their “magic tag”, which is a code sent by the malware to the C&C server to identify itself. The original version of Gh0st RAT was using “Gh0st” as magic tag.

musical chairs Gh0st RAT magic tag

The bad actors behind the Musical Chairs campaign spread the Gh0st RAT malware using phishing e-mails as the attack vector. The messages are sent from US-based residential ISP e-mail addresses, the threat actors compromised legitimate accounts and the malicious emails are sent indiscriminately to all addresses in the victims’ address book.

“The threat actors behind the attacks use a “shotgun” approach, blasting e-mails to as many recipients as possible in hopes of tricking a small percentage of targets into opening the attack. The attackers generally do not rely upon any vulnerability exploitation, and instead rely on the user to open the attached executable to compromise their system.” continues the report.

The attackers used the following filenames of attachments in the Musical Chairs campaign:

  • “Pleasantly Surprised.exe”
  • “Beautiful Girls.exe”
  • “Sexy Girls.exe”
  • “gift card.exe”
  • “amazon gift card.pdf.exe”

In July, Musical Chairs began deploying a the Piano Gh0st variant which used a new wrapper file to hide the Gh0st RAT malware.

The malicious components are served as a self-extracting executable (SFW) that operates as the dropper and extracts its payload to “c:\microsoft\lib\ke\Piano.dll” and executes the “mystart” function within the DLL’s export address table (EAT) using rundll32.exe.

The experts still have no information on the motivation of this campaign.

Enjoy the report!

Pierluigi Paganini

(Security Affairs – Musical Chairs campaign, encryption)