From the arrest of one of the head members of the ransomware gang to the successful Rove Digital takedown, coordination between law enforcement agencies and security groups has time and again yielded positive results. This time, the Taiwan Criminal Investigation Bureau (CIB), in cooperation with Trend Micro, resolved a targeted attack involving the notorious Ghost RAT family. One person was arrested by the CIB.
BKDR_GHOST (aka Gh0st RAT or TROJ_GHOST), a well-known remote access Trojan (RAT) is commonly used in targeted attacks and is widely available to both threat actors and cybercriminals alike.
In this specific targeted attack, the attackers delivered BKDR_GHOST to unsuspecting targets via custom spear phishing emails which contained a link where the malware is automatically downloaded. It poses as the Taiwan Bureau of National Health Insurance which makes the email convincing enough to lure the targets into clicking and eventually executing the malware.
To avoid easy detection, the attackers designed these emails to contain a link, which redirects users to a specific site and automatically download an official-looking RAR archive file. Moreover, to further persuade users to open a document file inside the archived file, the attacker made use of an old but effective file naming trick- appending multiple spaces in between the document extension (in this case, .DOC) and an executable extensions (in this case, .EXE). This is still an effective technique because putting multiple spaces will hide the real file extension because of the small RAR window. Our threat discovery solutions detects malware with this trait as HEUR_NAMETRICK.A in ATSE 9.740.1046.
BKDR_GHOST infection chain
Once the user opens the disguised malware, which is an executable archived file itself, the following are dropped and executed:
- %windir%\addins\ACORPORATION.VBS (detected as VBS_GHOST) – executes Gh0st RAT installation script (AMICROSOFT.VBS)
- %windir%\addins\AMICROSOFT.VBS (detected as VBS_GHOST) – extracts password protected Gh0st RAT archive (f2o.zip)
- %windir%\addins\Atask.bat (detected as BAT_GHOST) – searches for and overwrites the following files with the extracted Gh0st RAT components:
- %windir%\addins\f2o.zip – contains 2 BKDR_GHOST variants performing similar malicious behaviors:
- put.exe (Detected as BKDR_GHOST)
- cd.exe (Detected as BKDR_GHOST)
In another attempt to be inconspicuous, the final BKDR_GHOST payloads are stored in a password-protected archived file (f2o.zip), the passwords of which can be found inside the installation script AMICROSOFT.VBS. Once these BKDR_GHOST malware are executed, the attackers gain full access onto the infected system to perform their malicious deeds, navigating through the system and exfiltrating valuable data such as personal information.
Figure 1: Flow of the targeted attack
Figure 2: Detailed malware execution flow
To avoid falling prey to these attacks, we highly encourage users to be always cautious before opening any attachments or clicking links contained in email messages. It is fairly common for attackers to spoof government agencies and other institutions, thus users must verify the legitimacy of the email they receive. For more information about how targeted attacks work, you may read our paper Targeted Attack Entry Points: Are Your Business Communications Secure?