Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Discover New Type of Malware Attached to Gh0st RAT

Threat researchers from malware protection firm FireEye have discovered a new type of malware on systems that have been infected with the Gh0st RAT (Remote Access Trojan), with plenty of evidence that suggests that the botmasters for Gh0st are experimenting with new tools.

Threat researchers from malware protection firm FireEye have discovered a new type of malware on systems that have been infected with the Gh0st RAT (Remote Access Trojan), with plenty of evidence that suggests that the botmasters for Gh0st are experimenting with new tools.

The Gh0st RAT has been linked to spear phishing attacks that targeted several organizations in Central Tibet earlier this year. In the grand scheme of things, Gh0st is in the same malware family as Poison Ivy, another Trojan used for remote access, and there is speculation that the attackers are in China.

The earlier Gh0st attacks progressed to targeting a wider set of activists, including those using Mac OS systems, but new research has uncovered another tool that expands on Gh0st’s capabilities.

While the victim’s identity isn’t explained, researchers from FireEye have discovered a new malware variant on systems that are infected by Gh0st. The malware, currently named backdoor.ADDNEW, exists side-by-side with Gh0st and has been seen communicating with the same command and control (C&C) server in France with an IP address of 31.33.33.7 through different ports.

“The Backdoor uses a custom protocol over TCP to communicate to its CnC,” FireEye explained. “Since the domain to which the malware was communicating was down, we used Mandiant’s FakeNet and recorded all the communication. In the picture below you see the very first communication that is sent to the CnC by the infected machine. The “NEW” keyword that is sent back to the CnC lets the CnC know that it is a newly infected machine.”

Backdoor.ADDNEW Malware

FireEye researchers noticed that it targets the signons.sqlite database used by Firefox to store passwords. In addition to harvesting credentials from Mozilla’s browser, the malware also opens up a remote link to the system and enables the attacker to launch DDoS attacks.

“There are strings in the binary referencing “DarkDDOSER,” FireEye noted. “One can only speculate if in some way “DarkDdoser” and the Gh0st RAT complement each other.”

Advertisement. Scroll to continue reading.

For now, FireEye says they are still investigating the malware, and performing more research before they will comment further. This could be the start of something sinister, as the operators of Gh0st expand to inflect additional damage; or it could be something as simple as a botnet being rented out for monetary gain.

Additional details are on the FireEye blog.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...