PLAYFULGHOST: A Comprehensive Technical Analysis of a Sophisticated Malware
PLAYFULGHOST is a newly identified malware that has been observed targeting users through phishing emails and SEO poisoning. This malware is notable for its extensive capabilities, which include keylogging, screen and audio capture, remote shell access, and information stealing.
TL;DR
- Technical Capabilities: PLAYFULGHOST supports commands such as keylogging, screen capture, audio capture, remote shell, and file transfer/execution.
- Delivery Methods: The primary delivery methods for PLAYFULGHOST are phishing attacks and SEO poisoning.
- Advanced Techniques: PLAYFULGHOST utilizes advanced techniques such as DLL search order hijacking, side-loading, and BYOVD attacks.
- Associated Tools: Tools like BOOSTWAVE and TERMINATOR are used to enhance PLAYFULGHOST's capabilities.
- Threat Actors: PLAYFULGHOST is associated with threat actors that have a history of using Gh0st RAT and other advanced techniques.
Research Summary
PLAYFULGHOST is a newly identified malware that has been observed targeting users through phishing emails and SEO poisoning. This malware is notable for its extensive capabilities, which include keylogging, screen and audio capture, remote shell access, and information stealing. It has been linked to attacks involving trojanized VPN applications and uses advanced techniques like DLL search order hijacking, side-loading, and BYOVD (Bring Your Own Vulnerable Driver) attacks. The malware shares functional overlaps with Gh0st RAT and targets Chinese-speaking users, indicating a regional focus. Tools like Terminator and BOOSTWAVE are used to enhance its capabilities.
The research conducted involved gathering information from various sources, including intelligence graphs and external web searches. The findings reveal that PLAYFULGHOST is a sophisticated malware with multiple functionalities and advanced delivery methods. It is associated with threat actors that have a history of using Gh0st RAT and other advanced techniques. The malware's use of trojanized VPN applications, DLL search order hijacking, side-loading, and BYOVD attacks makes it particularly dangerous. The tools used, such as Terminator and BOOSTWAVE, further enhance its capabilities and indicate a high level of sophistication.
Technical Findings
- Technical Capabilities: PLAYFULGHOST supports commands such as keylogging, screen capture, audio capture, remote shell, and file transfer/execution. It can also collect hardware information, enumerate installed security products, and perform various file management tasks. The malware maintains persistence using methods like Run registry key, scheduled tasks, startup folder, and Windows Service.
- Delivery Methods: The primary delivery methods for PLAYFULGHOST are phishing attacks and SEO poisoning. In phishing attacks, the malware is delivered through malicious RAR archives disguised as image files. In SEO poisoning, the malware is bundled with popular applications like LetsVPN and distributed through manipulated search engine results.
- Advanced Techniques: PLAYFULGHOST utilizes advanced techniques such as DLL search order hijacking, side-loading, and BYOVD attacks. These techniques involve using legitimate executables to load malicious DLLs and decrypt the malware payload into memory.
- Associated Tools: Tools like BOOSTWAVE and TERMINATOR are used to enhance PLAYFULGHOST's capabilities. BOOSTWAVE acts as an in-memory dropper for the malware payload, while TERMINATOR is used to terminate security processes by abusing a vulnerable driver.
- Threat Actors: PLAYFULGHOST is associated with threat actors that have a history of using Gh0st RAT and other advanced techniques. The malware's targeting of Chinese-speaking users and the use of tools like Terminator and BOOSTWAVE suggest a sophisticated and potentially state-sponsored group.
Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..
(Subscribers Only)
