What Is It?
One of the most notorious Microsoft Windows-based remote access trojans (RATs) is named Gh0st RAT, the first reports of its existence surfaced in 2009. These reports describe an APT operation named GhostNet that occurred in 2008.
Targeted users who clicked on a link in a phishing email initiated a sequence of events which resulted in Gh0st RAT being installed on their systems. GhostNet consisted of at least 1295 infections in 103 countries. The infections occurred in embassies, foreign ministries and other government and military offices, mainly in Southern and Southeastern Asian countries, with a particular focus on the exiled Tibetan government and the Dalai Lama.
RATs are one class of malware that has long posed a threat to corporate, small business and home users alike. A RAT can give an attacker complete control of an infected system remotely, including activating a system’s microphone and webcam, logging keystrokes, exfiltrating data from files on – or accessible from – the infected system and manipulating files, processes and system settings.
There are a wide range of RATs, some are even commercially available, marketed with dubious claims of “valid” use cases, leading to their use by a wide gamut of attackers, from domestic partners, to profit motivated attackers, all the way to advanced persistent threat (APT) actors. RATs are available for various platforms and operating systems.
The source code for Gh0st RAT version 3.6 was actually made available in mid-2008. This led to an almost innumerable number of variants and Gh0st RAT-based versions being released. Often these variants are altered in order to evade anti-virus detections of previous variants. Despite the public availability of the basic source code, Gh0st RAT has continued to be used by APT groups, mainly those associated with China, including Iron Tiger, APT18 and Night Dragon.
More recently, the leaked NSA EternalBlue exploit was been used to install Gh0st RAT as a part of several cryptomining campaigns including MassMiner. In these cases, the attackers appear to be using Gh0st RAT to obtain a persistent backdoor on infected systems to allow them to install cryptominers and trojans.
How Does It Propagate?
Gh0st RAT and its variants are not worms, they do not self-propagate. Over time, various attack vectors have been utilized, including malicious links in phishing emails to the EternalBlue exploit.
When/How Did BluVector Detect It?
A variety of publicly available Gh0st RAT variant samples have been tested against BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown these samples would have been detected an average of 10 months prior to their release. Though owing to the wide range of dates these samples were released into the wild, the maximum detection time for these samples is 49 months.