Gh0st RAT Trojan Targets Users Through Fake Chrome Site

The remote access trojan known as Gh0st RAT has been detected being delivered by an “evasive dropper” called Gh0stGambit. This is part of a drive-by download scheme specifically targeting Chinese-speaking Windows users.

These infections originate from a fake website, “chrome-web[.]com,” which serves malicious installer packages disguised as Google’s Chrome browser. This indicates that users searching for Chrome are being targeted.

Gh0st RAT is a well-known malware that has been active since 2008. Over the years, it has appeared in various forms in campaigns primarily run by China-nexus cyberespionage groups. Some versions of the trojan have been used to infiltrate poorly-secured MS SQL server instances, using them to install the Hidden open-source rootkit.

According to cybersecurity firm, the focus on Chinese-speaking users is evident from the use of Chinese-language web lures and Chinese applications designed for data theft and defense evasion by the malware.

The MSI installer downloaded from the fake website contains two files: a legitimate Chrome setup executable and a malicious installer named “WindowsProgram.msi.” The malicious installer launches shellcode that loads Gh0stGambit. The dropper checks for the presence of security software like 360 Safe Guard and Microsoft Defender Antivirus before contacting a command-and-control (C2) server to retrieve Gh0st RAT.

“Gh0st RAT is written in C++ and has many features, including terminating processes, removing files, capturing audio and screenshots, remote command execution, keylogging, data exfiltration, and hiding registry, files, and directories via rootkit capabilities,” eSentire explained.

The trojan is also capable of dropping Mimikatz, enabling RDP on compromised hosts, accessing account identifiers associated with Tencent QQ, clearing Windows event logs, and erasing data from 360 Secure Browser, QQ Browser, and Sogou Explorer.

The Canadian company noted that the artifact shares similarities with a Gh0st RAT variant tracked by the AhnLab Security Intelligence Center (ASEC) under the name HiddenGh0st.

“Gh0st RAT has been widely used and modified by APT and criminal groups over the past several years,” researcher said. “The recent findings highlight the distribution of this threat via drive-by downloads, tricking users into downloading a malicious Chrome installer from a deceptive website.”

Preventing infections from Gh0st RAT and similar malware requires a multi-layered security approach. Users should only download software from official and verified sources and avoid clicking on links from unknown or suspicious emails. Utilizing reputable antivirus and anti-malware programs can help detect and block such threats.