A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets

A decade and a half after Gh0st RAT first appeared, the "SugarGh0st RAT" variant aims to make life sweeter for cybercriminals.

3 Min Read
Vintage illustration of people reacting to a ghost
Source: Niday Picture Library via Alamy Stock Photo

A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan.

The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in March 2008. Remarkably, it's still in use today, particularly in and around China, albeit in modified forms.

Since late August, for instance, a group with strong Chinese links has been distributing a modified Gh0st RAT deemed "SugarGh0st RAT." According to research from Cisco Talos, this threat actor drops the variant via JavaScript-laced Windows shortcuts, while distracting targets with customized decoy documents.

The malware itself is still largely the same, effective tool it's ever been, though it now sports some new decals to help sneak past antivirus software.

SugarGh0st RAT's Traps

The four samples of SugarGh0st, likely delivered via phishing, arrive on targeted machines as archives embedded with Windows LNK shortcut files. The LNKs hide malicious JavaScript which, upon opening, drops a decoy document — targeted for Korean or Uzbek government audiences — and the payload.

Like its progenitor — the Chinese origin remote access Trojan, first released to the public in March 2008 — SugarGh0st is a clean, multitooled espionage machine. A 32-bit dynamic link library (DLL) written in C++, it begins by collecting system data, then opens up the door to full remote access capabilities.

Attackers can use SugarGh0st to retrieve any information they might desire about their compromised machine, or start, terminate, or delete the processes it's running. They can use it to find, exfiltrate, and delete files, and erase any event logs to mask the resulting forensic evidence. The backdoor comes fitted with a keylogger, a screenshotter, a means of accessing the device's camera, and plenty of other useful functions for manipulating the mouse, performing native Windows operation, or simply running arbitrary commands.

"The thing that's most concerning to me is how it's specifically designed to evade previous detection methods," says Nick Biasini, Cisco Talos' head of outreach. With this new variant, specifically, "they took effort to do things that would change the way that core detection would work."

It isn't that SugarGh0st has any particularly novel evasion mechanisms. Rather, minor aesthetic changes make it appear different from prior variants, such as changing the command-and-control (C2) communication protocol such that instead of 5 bytes, the network packet headers reserve the first 8 bytes as magic bytes (a list of file signatures, used to confirm a file's contents). "It's just a very effective way to try and make sure that your existing security tooling isn't going to pick up on this right away," Biasini says.

Gh0st RAT's Old Haunts

Back in September 2008, the office of the Dalai Lama approached a security researcher (no, this isn't the beginning of a bad joke).

Its employees were being peppered with phishing emails. Microsoft applications were crashing, without explanation, across the organization. One monk recalled watching his computer open Microsoft Outlook all on its own, attach documents to an email, and send that email to an unrecognized address, all without his input.

A Gh0st RAT beta model's English language UI; Source: Trend Micro EU via Wayback Machine

The Trojan used in that Chinese military-linked campaign against Tibetan monks has stood the test of time, Biasini says, for a few reasons.

"Open source malware families live long because actors get a fully functional piece of malware that they can manipulate as they see fit. It also allows people who don't know how to write malware to leverage this stuff for free," he explains.

Gh0st RAT, he adds, stands out in particular as "a very functional, very well-built RAT."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights