GhostRAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into many sensitive computer networks.
GHOSTRAT is a family of backdoors, or more accurately, remote administration tools (RATs), used to gain control of the computer it infects
What is GhostRAT? GhostRAT is a popular example of a Remote Access Trojan used by attackers to control infected endpoints, originally attributed to threat
Trojan:Win32/GhostRAT. Detected by Microsoft Defender Antivirus. Aliases: No associated aliases. Summary.
GhostRAT primarily targets government agencies, embassies, foreign ministries, and other government and military offices across Southern
ghost is a light RAT that gives the server/attacker full remote access to the user’s command-line interpreter (cmd.exe). They are allowed to execute commands
ghost is a light RAT that gives the server/attacker full remote access to the user’s command-line interpreter (cmd.exe). They are allowed to execute commands silently without the client/zombie noticing. The server/attacker is also given the ability to download and execute files on the client/zombie’s computer. This is also a silent and hidden process. Like most Remote Access Trojans, this download and execution ability helps distribute viruses and other pieces of malware.
This malware is distributed simply by running zombi
- Remote command execution
- Silent background process
- Download and run file (Hidden)
- Safe Mode startup
- Will automatically connect to the server
- Data sent and received is encrypted (substitution cipher)
- Files are hidden
- Installed Antivirus shown to server
- Easily spread malware through download feature
- Startup info doesn’t show in msconfig or other startup checking programs like CCleaner
- Disable Task Manager
When successfully started, it adds itself to the start-up pool and runs silently in the background. It will try to repeatedly connect to the server. This process does not hog any memory or CPU usage. This means that the zombie will silently just idle in the background and whenever the server is up, it will automatically connect.
When starting the server, it will prompt for you a listening port. This is the port that you need to use in the command-line for zombie.exe. Once you provide the port, your server information will be provided and the menu will be down. The IP address provided is your external IP. With that being said, unless the client/zombie is actively looking and tracking open connections, it will probably be smart to run this server under a remote location if you want to stay anonymous. If this does not interest you, simply renaming zombie.exe and/or changing the assembly information using a tool will likely fool the client/zombie.
Note: This project was only made for education purposes and to test out my recently published repositories (ahxrlogger & ahxrsocket). If you choose to use this for malicious reasons, you are completely responsible for the outcome.
👻 RAT (Remote Access Trojan) – Silent Botnet – Full Remote Command-Line Access – Download & Execute Programs – Spread Virus’ & Malware
e.exe. This file name can be changed to whatever. There is no restriction. When run, it searches for the first two arguments (IP & Port). If neither is provided, the program doesn’t run. With that being said, make sure you provide the server’s IP and Port in the command-line arguments. Example:
- Gh0st RAT primarily targets government agencies, embassies, foreign ministries, and other government and military offices across Southern and Southeastern Asian countries.
- Its capabilities include keystroke logging, disabling the infected machine’s remote pointer and keyboard input, activating a system’s microphone and webcam, shutting down and rebooting the host, taking full control of the remote screen of the infected device, and more.
Gh0st RAT is a Windows-based Remote Access Trojan. The trojan’s capabilities include keystroke logging, disabling the infected machine’s remote pointer and keyboard input, downloading remote binaries on the infected remote host, providing a list of all active processes, activating a system’s microphone and webcam, shutting down and rebooting the host, and taking full control of the remote screen of the infected device.
What are its targets?
Gh0st RAT primarily targets government agencies, embassies, foreign ministries, and other government and military offices across Southern and Southeastern Asian countries, with a particular focus on the exiled Tibetan government and the Dalai Lama.
Gh0st RAT distributed via a spear phishing campaign
In June 2013, Gh0st RAT was distributed via a spear phishing campaign purporting to come from the Taiwan Bureau of National Health Insurance. The phishing emails included a malicious link, which upon clicking redirected users to a phishing page, where an official-looking RAR archive file gets downloaded. This malicious file installed and executed the Gh0st RAT.
EternalBlue exploit distribute Ghost RAT
In June 2017, attackers leveraged the EternalBlue exploit in Microsoft Server Message Block (SMB) protocol to distribute the Gh0st RAT. The Gh0st RAT sample observed in this attack was signed with a common digital certificate purporting to be from the Beijing Institute of Science and Technology Co., Ltd.
Daserf malware linked with Gh0st RAT
Tick threat group’s Daserf malware has been observed sharing its infrastructure with the backdoors Invader and Minzen, the trojans Gh0st RAT and 9002 RAT, and the downloader HomamDownloader. Furthermore, Daserf has also shared cipher code with Gh0st RAT.
Vulnerabilities found in Gh0st RAT
Security researchers detected vulnerabilities in Gh0st RAT that could allow victims to extract files from the attacker’s own server. Gh0st RAT while transferring files from the victim’s server to the attacker’s server, does not validate whether the attacker requested the file in the first place. This could allow victims to deliberately upload their own file to the attacker’s infrastructure, and install a backdoor on the attacker’s server.
In February 2018, an attack campaign dubbed ‘Operation PZChao’ targeted government agencies, as well as technology, education, and telecommunications sectors in Asia and the United States. The attack campaign dropped a Bitcoin miner, two versions of Mimikatz, and a modified version of Gh0st RAT. The campaign’s final payload was the Gh0st RAT.
Updated Gh0st RAT variant
In 2019, researchers observed an updated variant of the Gh0st RAT, which is capable of downloading additional malware, cleaning event logs, file management, shell command execution, and offline keylogging. This variant has also changed its header from ‘Gh0st’ to ‘nbLGX’.
Contrast to the previous versions, this version uses encryption over the entire TCP segment in order to evade detection.
Zip Password : www.masterscyber.com