Gh0st RAT is a popular example of a Remote Access Trojan used by attackers to control infected endpoints, originally attributed to threat actor groups in China. Gh0st RAT and its variants are still some of the most widely used RAT tools in existence due to their effectiveness.

Once installed, It allows an attacker to take full control of the infected endpoint, log keystrokes, provide live webcam and microphone feed, download and upload files, and other powerful features. Another feature of Gh0St RAT is the ability to obfuscate the client-server communication using a proprietary network protocol. This is wrapped up with several intuitive graphical user interfaces to make malicious remote control simple.

Gh0st RAT capabilities

Below is a list of Gh0st RAT capabilities. It can:

  • Take full control of the remote screen on the infected bot.
  • Provide real-time as well as offline keystroke logging.
  • Provide live feed of webcam, the microphone of the infected host.
  • Download remote binaries on the infected remote host.
  • Take control of remote shutdown and reboot of the host.
  • Disable infected computer remote pointer and keyboard input.
  • Enter into the shell of the remote infected host with full control.
  • Provide a list of all the active processes.
  • Clear all existing SSDT of all existing hooks.

What are its targets?

It primarily targets government agencies, embassies, foreign ministries, and other government and military offices across Southern and Southeastern Asian countries, with a particular focus on the exiled Tibetan government and the Dalai Lama.

Gh0st RAT distributed via a spear-phishing campaign

In June 2013, It was distributed via a spear-phishing campaign purporting to come from the Taiwan Bureau of National Health Insurance. The phishing emails included a malicious link, which upon clicking redirected users to a phishing page, where an official-looking RAR archive file gets downloaded. This malicious file installed and executed the Gh0st RAT.

EternalBlue exploit distribute Ghost RAT

In June 2017, attackers leveraged the EternalBlue exploit in Microsoft Server Message Block (SMB) protocol to distribute the Gh0st RAT. The sample observed in this attack was signed with a common digital certificate purporting to be from the Beijing Institute of Science and Technology Co., Ltd.

Deserve malware linked with Gh0st RAT

Tick threat group’s Daserf malware has been observed sharing its infrastructure with the backdoors Invader and Minzen, the trojans Gh0st RAT and 9002 RAT, and the downloader HomamDownloader. Furthermore, Daserf has also shared cipher code with Gh0st RAT.

Vulnerabilities found in Gh0st RAT

Security researchers detected vulnerabilities in Gh0st RAT that could allow victims to extract files from the attacker’s server. It while transferring files from the victim’s server to the attacker’s server, does not validate whether the attacker requested the file in the first place. This could allow victims to deliberately upload their file to the attacker’s infrastructure, and install a backdoor on the attacker’s server.

Operation PZChao

In February 2018, an attack campaign dubbed ‘Operation PZChao’s targeted government agencies, as well as technology, education, and telecommunications sectors in Asia and the United States. The attack campaign dropped a Bitcoin miner, two versions of Mimikatz, and a modified version of Gh0st RAT. The campaign’s final payload was the Gh0st RAT.

Updated variant

In 2019, researchers observed an updated variant of it, which is capable of downloading additional malware, cleaning event logs, file management, shell command execution, and offline keylogging. This variant has also changed its header from ‘Gh0st’ to ‘nbLGX’.