Cybersecurity researchers have flagged a brand new malware known as PLAYFULGHOST that comes with a variety of information-gathering options like keylogging, display seize, audio seize, distant shell, and file switch/execution.
The backdoor, in accordance with Google’s Managed Protection group, shares useful overlaps with a recognized distant administration instrument known as Gh0st RAT, which had its supply code publicly leaked in 2008.
PLAYFULGHOST’s preliminary entry pathways embody the usage of phishing emails bearing code of conduct-related lures or search engine marketing (web optimization) poisoning strategies to distribute trojanized variations of reputable VPN apps like LetsVPN.
“In a single phishing case, the an infection begins by tricking the sufferer into opening a malicious RAR archive disguised as a picture file by utilizing a .jpg extension,” the corporate stated. “When extracted and executed by the sufferer, the archive drops a malicious Home windows executable, which ultimately downloads and executes PLAYFULGHOST from a distant server.”
Assault chains using web optimization poisoning, alternatively, search to deceive unsuspecting customers into downloading a malware-laced installer for LetsVPN, which, when launched, drops an interim payload accountable for retrieving the backdoor parts.
The an infection is notable for leveraging strategies similar to DLL search order hijacking and side-loading to launch a malicious DLL that is then used to decrypt and cargo PLAYFULGHOST into reminiscence.
Mandiant stated it additionally noticed a “extra refined execution situation” whereby a Home windows shortcut (“QQLaunch.lnk”) file, combines the contents of two different recordsdata named “h” and “t” to assemble the rogue DLL and sideload it utilizing a renamed model of “curl.exe.”
PLAYFULGHOST is able to organising persistence on the host utilizing 4 completely different strategies: Run registry key, scheduled process, Home windows Startup folder, and Home windows service. It boasts an in depth set of options that enable it to assemble intensive knowledge, together with keystrokes, screenshots, audio, QQ account data, put in safety merchandise, clipboard content material, and system metadata.
It additionally comes with capabilities to drop extra payloads, block mouse and keyboard enter, clear Home windows occasion logs, wipe clipboard knowledge, carry out file operations, delete caches and profiles related to net browsers like Sogou, QQ, 360 Security, Firefox, and Google Chrome, and erase profiles and native storage for messaging functions similar to Skype, Telegram, and QQ.
A few of the different instruments deployed through PLAYFULGHOST are Mimikatz and a rootkit that is able to hiding registry, recordsdata, and processes specified by the risk actor. Additionally dropped together with the obtain of PLAYFULGHOST parts is an open-source utility known as Terminator that may kill safety processes by the use of a Carry Your Personal Susceptible Driver (BYOVD) assault.
“On one event, Mandiant noticed a PLAYFULGHOST payload being embedded inside BOOSTWAVE,” the tech large stated. “BOOSTWAVE is a shellcode that acts as in-memory dropper for an appended Moveable Executable (PE) payload.”
The concentrating on of functions like Sogou, QQ, and 360 Security and the usage of LetsVPN lures elevate the chance that these infections are concentrating on Chinese language-speaking Home windows customers. In July 2024, Canadian cybersecurity vendor eSentire revealed the same marketing campaign that leveraged pretend installers for Google Chrome to propagate Gh0st RAT utilizing a dropper dubbed Gh0stGambit.
