Gh0st RAT

Gh0st RAT MALICIOUS PROTOCOLS: GH0ST RAT PDF

Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into many sensitive computer networks. It is a cyber spying computer program. The "Rat" part of the name refers to the software's ability to operate as a "Remote Administration Tool". The GhostNet system disseminates malware to selected recipients via computer code attached to stolen emails and addresses, thereby expanding the network by allowing more computers to be infected. According to the Infowar Monitor (IWM), "GhostNet" infection causes computers to download a Trojan known as "Gh0st RAT" that allows attackers to gain complete, real-time control.Such a computer can be controlled or inspected by its hackers, and the software even has the ability to turn on the camera and audio-recording functions of an infected computer that has such capabilities, enabling monitors to see and hear what goes on in a room.

What is Gh0st RAT?
Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.

Gh0st RAT capabilities
I think that before I delve into more technical details of Gh0st RAT, let us take a brief look at the capabilities or reach of Gh0st RAT. Below is a list of Gh0st RAT capabilities. Gh0st RAT can:

Take full control of the remote screen on the infected bot.
Provide real time as well as offline keystroke logging.
Provide live feed of webcam, microphone of infected host.
Download remote binaries on the infected remote host.
Take control of remote shutdown and reboot of host.
Disable infected computer remote pointer and keyboard input.
Enter into shell of remote infected host with full control.
Provide a list of all the active processes.
Clear all existing SSDT of all existing hooks.
Gh0st RAT Components
This section will throw light on both at user and kernel level binaries of the Gh0st RAT toolset. Gh0st RAT has two main components: client and server.

Controller Application: This is known as client, which is typically a Windows application that is used to track and manage Gh0st servers on remote compromised hosts. The two main functions this module serves is the management and control of Gh0st servers and the ability to create customized server install programs.

Windows DLL (user level binary): The DLL is named SVCHOST.DLL. It is the Windows DLL that gets installed on a compromised host as a Windows service. This service is the server component of the Gh0st toolkit. It checks in to the Gh0st client on startup and awaits instructions. The setup and installation of this DLL as a service is done by the install program (Dropper) SERVER.EXE which we will discuss in a short while.

INSTALL.EXE Dropper application is used to install SVCHOST.DLL. This is a stand-alone Windows application that contains all required code to prepare a compromised host for the installation of the Gh0st RAT server service and the launching of that service.

Kernel Level Binary: This is present in the toolset with the .SYS filename RESSDT.SYS. This is a very small device driver that performs a single task: resetting the Windows System Service Dispatch Table (SSDT). This is the only kernel level binary in the toolset. It runs at system startup on the compromised host and removes all hooks in the SSDT.

Install Program: This is commonly called “the dropper.” It contains the two above described binaries and performs all of the work necessary to install the Gh0st server on a host and startup the Gh0st service.

Gh0st RAT Variants
Since Gh0st Rat source code is available for everyone, Gh0st Rat has many versions available, as people have generally used and even modified the code to fit their purpose. Gh0st, because of its number of variants and encrypted capabilities, is hard to recognize. Most antivirus detections today are automatically generated, resulting in names thought out by machines. Quick, but containing information only machines find interesting. The most stable indicator of being faced with a Gh0stRat is its network communication. It is well documented and quite distinctive, as it always begins with a “magic word” which in its default configuration is “Gh0st” – thus Gh0st Rat.

As one can imagine, the detection of the “Gh0st” keyword in the network stream is pretty easy, as tools like Network Intrusion Prevention System (NIPS) or even Wireshark magic words are easily available in the fixed length of 5 bytes. So the below key words are from the investigations guide that contains all the magic words from a Gh0st Network stream:

“7hero, Adobe, B1X6Z, BEiLa, BeiJi, ByShe, FKJP3, FLYNN, FWAPR, FWKJG,GWRAT, Gh0st, GOLDt, HEART, HTTPS, HXWAN, Heart, IM007, ITore, KOBBX, KrisR, LUCKK, LURK0, LYRAT, Level, Lover, Lyyyy, MYFYB, MoZhe, MyRat, OXXMM, PCRat, QWPOT, Spidern, Tyjhu, URATU, W0LFKO, Wangz, Winds, World, X6RAT, XDAPR, Xjjhj, ag0ft, attac, cb1st, https, whmhl, xhjyk, 00000, ABCDE, apach, Assas, Blues, chevr, CHINA, cyl22, DrAgOn EXXMM,Eyes1, Gi0st, GM110, Hello, httpx, kaGni, light, LkxCq, lvxYT, Naver, NIGHT, NoNul, Origi, QQ_124971919, Snown, SocKt, Super, Sw@rd, v2010, VGTLS, wcker, Wh0vt, wings, X6M9K, xqwf7, YANGZ”

The above is not an exhaustive list, and even magic keywords like “Spidern” and “W0LFKO” come with non-standard length of 5 bytes. Other irregular magic keywords like “DrAgOn” and “QQ_124971919” do not even compress their network traffic like most other Gh0st do.

In the next article of this series, we will learn about Gh0st network connections, why it is difficult to control this type of attack, and what are the possible solutions for its control that can be put in place.

Gh0st RAT – Data Packet Structure
Below is the packet information that is exchanged between a Ghost RAT client and a compromised host.

Packet Header: 5 byte length and it contains the Gh0st magic keywords. Magic keywords are indicated in Part 1 of this series.
Packet Size: 4 byte integer to determine the total size of the packet.
4 byte integer that contains the size of packet when uncompressed.
Variable size payload data that contain commands exchanged between client and host.
It is important to note that the Ghost header is sent in clear text and the packet payload is compressed using the open zlib compression library. The encrypted payload can be easily decrypted using the zlib module unencrypt() function. The payload contains operation codes like commands, tokens and modes, which are exchanged between the Gh0st RAT c2 client and compromised host.

Some of the important operation codes are as shown below.

Commands

COMMAND_KILLPROCESS
COMMAND_SESSION
COMMAND_DELETE_FILE
COMMAND_DELETE_DIRECTORY
COMMAND_SYSTEM
COMMAND_AUDIO
COMMAND_WEBCAM
COMMAND_OPEN_URL_HIDE
COMMAND_REPLAY_HEARTBEAT
COMMAND_UPDATE_SERVER
COMMAND_ACTIVED
Token Codes

TOKEN_AUTH
TOKEN_HEARTBEAT
TOKEN_LOGIN
TOKEN_FILE_SIZE
TOKEN_DRIVE_LIST
TOKEN_TRANSFER_FINISH
TOKEN_DATA_CONTINUE
Modes

TRANSFER_MODE_NORMAL
TRANSFER_MODE_JUMP
TRANSFER_MODE_CANCEL
TRANSFER_MODE_OVERWRITE
TRANSFER_MODE_CANCEL
Defensive Measures
The below section will list out some of the defensive and proactive measures that can be put in place to detect Gh0st Malware.

Monitoring traffic with inline network devices: Security solutions which provide deep packet monitoring such as Intrusion Detection/Prevention Systems (IDS/IPS) can help a great deal in looking for Gh0st malware. But today the Gh0st Malware is so sophisticated that a simple signature in the IDS/IPS is not enough to detect Gh0st malware.
Internal port scans: As we have learned that there is a persistent connection between the Gh0st RAT c2 client and compromised host, running an internal port scan at regular intervals will reveal out the malicious ports.
Monitoring services on hosts: Since malware is usually installed as root kits and operates closer to the kernel layer, and mostly malware installed as services, an internal scan must be carried on all the running services on hosts at regular intervals.
Event logs for hosts: End point host event logs must be monitored for both successful and failed logins. Specifically monitor for logon type 3 and 10, because these are most possible ways in which an intruder can connect to the internal hosts.
Last but not least, security awareness is a must to prevent against most malwares, and Gh0st RAT is no exception. Users should be aware of these malwares to protect against attacks such as URL redirection.

Techniques Used
Domain ID Name Use
Enterprise T1059 Command-Line Interface
gh0st RAT is able to open a remote shell to execute commands.

Enterprise T1043 Commonly Used Port
gh0st RAT uses port 443 for C2 communications.

Enterprise T1073 DLL Side-Loading
A gh0st RAT variant has used DLL side-loading.

Enterprise T1107 File Deletion
gh0st RAT has the capability to to delete files.

Enterprise T1070 Indicator Removal on Host
gh0st RAT is able to wipe event logs.

Enterprise T1056 Input Capture
gh0st RAT has a keylogger.

Enterprise T1050 New Service
gh0st RAT can create a new service to establish persistence.

Enterprise T1057 Process Discovery
gh0st RAT has the capability to list processes.

Enterprise T1060 Registry Run Keys / Startup Folder
gh0st RAT adds a Registry Run key to establish persistence.

Enterprise T1105 Remote File Copy
gh0st RAT can download files to the victim’s machine.

Enterprise T1085 Rundll32
A gh0st RAT variant has used rundll32 for execution.

Enterprise T1113 Screen Capture
gh0st RAT can capture the victim’s screen remotely.

Enterprise T1032 Standard Cryptographic Protocol
gh0st RAT uses RC4 and XOR to encrypt C2 traffic.

Groups That Use This Software
ID Name References
G0062 TA459
TA459 has used a Gh0st variant known as PCrat/Gh0st.

G0026 APT18
G0011 PittyTiger
G0096 APT41
G0027 Threat Group-3390