Musical Chairs Campaign Found Deploying New Gh0st RAT Variant

Share this…

Researchers have peeled back the layers on a new campaign that spans multiple years and involves a new variant of the ubiquitous Gh0st remote access tool (RAT).

The campaign, now believed to in its sixth year, is dubbed Musical Chairs, according to new research from Palo Alto Networks published Tuesday.

The campaign drops Piano Gh0st, a new – and freely available – variant of the longtime Chinese RAT Gh0st. Piano Gh0st, which first surfaced in July, uses a new wrapper to hide the Gh0st payload, according to Palo Alto. From there a payload is extracted to Piano.dll, where the embedded DLL (Gh0stRat) is decrypted, loaded and run.

Musical Chairs Campaign Found Deploying New Gh0st RAT Variant

Interestingly, the campaign has used a single command and control server to connect to the malware via a custom TCP protocol, for the last two years according to researchers.

“The infrastructure used in Musical Chairs stands out primarily due to its longevity and use of multiple Gh0st command servers on the same host,”  Brandon Levene, Robert Falcone, and Jen Miller-Osborn, researchers with the firm, write.

While some domains affiliated with the campaign appear to date back to 2010, the infrastructure’s longest running domain is connected to a Windows 2003 server that uses a U.S. IP address, but a Chinese language interface, according to the report.

The server has been responsible for communicating with at least 32 different Gh0st samples since 2013.

While researchers with the firm didn’t specify exactly who might be behind the malware, they do note that a debugging path inside the DLL does include Chinese characters, suggesting whoever compiled it has a Chinese language pack (GB2312 specifically) installed.

While the way Piano Gh0st is deployed may sound sophisticated, when it comes to how the malware is distributed, oddly enough, the campaign lacks complexity.

Attackers don’t rely on any particular exploit to propagate Piano Gh0st; instead their scheme depends on an old school technique; getting hacked email accounts to send a slew of phishing emails to as many targets as possible, using suggestively titled attachments like “Beautiful Girls.exe,” “Sexy Girls.exe,” and “Gift card.exe.” The targets aren’t even specific, Palo Alto notes, adding that more than anything, their attacks appear to be “opportunistic.”

“The accounts themselves appear to be legitimate, and are likely also compromised by this actor,” the researchers write, “In many cases the phishing e-mails are sent indiscriminately to all e-mail addresses in an infected user’s address book, including ‘no-reply’ addresses a human operator would know to ignore.”

To compromise users’ systems, the attackers have to hope that users are tricked into opening the attached executables.

Once opened, like all iterations of Gh0st 3.6, the malware that’s circulated through Musical Chairs boasts the usual functions, including keylogging, remote audio/video access, remote terminal access, and file management, according to researchers.