A remote control malware called Gh0st RAT, which is popular with Chinese threat actors and has publicly available source code was created by China’s C. Rufus Security Team.
ASEC (AhnLab Security Emergency Response Center) finds the Gh0st RAT variant using a Hidden rootkit to target MS-SQL servers, hiding malware presence and preventing its removal.
The HiddenGh0st is a Gh0st RAT variant with QQ Messenger data theft capabilities that have persisted since 2022 and are likely to target Chinese users.
Cybersecurity researchers at ASEC recently reported that HiddenGh0st malware actively targets and attacks poorly managed MS-SQL and MySQL servers.
Hackers Attacking MS-SQL & MySQL Servers
HiddenGh0st evades detection by packing, decrypting, and executing its PE file in memory while transmitting 0x848-sized configuration data.
Besides this, it covers the following things:-
- C&C URL
- Installation method
- File name
- Rootkit activation
Deactivated options in the configuration data, like the downloader thread’s URL, could have triggered external malware downloads.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Another option fetches the infected system’s public IP address from http[:]//www[.]taobao[.]com/help/getip[.]php when enabled, sending it to the C&C server.
The configured ‘Service’ mode in HKLM\SYSTEM\Select saves installation time as ‘MarkTime’ and sets HiddenGh0st as a service, launching it with ‘-auto’ argument.
The configuration specifies dummy data size, appending 0x00800000-sized data. After that, the original file is deleted, and HiddenGh0st relaunches as a service with ‘-acsi’ argument.
Configured ‘Startup Folder’ mode in HKLM\SYSTEM\Select stores installation time in ‘MarkTime,’ then HiddenGh0st copies itself using DefineDosDeviceA() API.
After that, it creates a symbolic link ‘.\agmkis2,’ adds dummy data, then runs the copied malware, and deletes the original one.
Here below, we have mentioned all the collected data:-
- Windows version information
- CPU speed
- Number of CPUs
- Public IP address
- Private IP address
- Host name of the infected system
- Number of webcams
- Internet connection delay time
- Network interface speed
- Memory capacity
- Local disk capacity
- “Default” string (decrypted from the configuration data) or the “5750b8de793d50a8f9eaa777adbf58d4” value of the BITS registry
- System boot time
- “1.0” (version)
- List of installed security products
- Wow64 availability
- Malware installation time (MarkTime)
- Logged in QQ Messenger number
- Whether 3 minutes has passed since the last key input
- Internet connection status (MODEM, LAN, PROXY)
Security product info gathered by scanning process names for specific keywords:-
“360tray.exe”, “360sd.exe”, “kxetray.exe”, “KSafeTray.exe”, “QQPCRTP.exe” ,”HipsTray.exe” ,”BaiduSd.exe” ,”baiduSafeTray.exe” ,”KvMonXP.exe” ,”RavMonD.exe” ,”QUHLPSVC.EXE” ,”QuickHeal” ,”mssecess.exe” ,”cfp.exe”, “SPIDer.exe”, “DR.WEB”, “acs.exe”, “Outpost”, “V3Svc.exe” ,”AYAgent.aye” ,”avgwdsvc.exe” ,”AVG” ,”f-secure.exe” ,”F-Secure” ,”avp.exe” ,”Mcshield.exe”, “NOD32”, “knsdtray.exe”, “TMBMSRV.exe”, “avcenter.exe”, “ashDisp.exe” ,”rtvscan.exe” ,”remupd.exe” ,”vsserv.exe”, “BitDefender”, “PSafeSysTray.exe”, “ad-watch.exe”, “K7TSecurity.exe”, “UnThreat.exe”, “UnThreat”
HiddenGh0st extends original Gh0st RAT features, including version info “1.0” and identifier “Default” from config data. Activated keylogger saves data as “6gkIBfkS+qY=.key” in %SystemDirectory%.
Moreover, HiddenGh0st does the following things to send the extracted data to the C&C server:-
- Installs Mimikatz
- Extracts account credentials
Defend MS-SQL servers from brute force attacks with strong passwords, regular changes, and updated security tools like firewalls to block external threats and prevent ongoing infections.
- 69cafef1e25734dea3ade462fead3cc9: HiddenGh0st
- 0d92b5f7a0f338472d59c5f2208475a3: Hidden x86 Rootkit (QAssist.sys)
- 4e34c068e764ad0ff0cb58bc4f143197: Hidden x64 Rootkit (QAssist.sys)