LTS Secure Warning: Attackers Obfuscating Client-Server Communication Using Gh0st RAT

Gh0st is one of the most popular RAT (Remote Access Trojan) ever to  be created & is being used by attackers to control the infected devices, which is associated to threat actors group in China. Ghost is still the go to choice for most of the attackers out there because of its effectiveness. Once installed on the victim, Gh0st allows the attacker to take the full access of infected devices, log keystrokes, provide live microphone & webcam feeds of the victim, download and upload files and other features & services.

Technical Details

The attacker start the infection process via Mail-Spam campaign. Once the user click on the link present in the E-mail, a dropper is download on the devices which then downloads & executes the Gh0st RAT. The devices then makes a connection to the remote C&C server via which the attacker sends commands to be executed on the victim device.

Impact

• Attacker can take full access of the infected system.
• It captures real time as well as offline keystrokes.
• It is capable of fetching live feed of webcam and microphone of the victim.
• Upload malicious files on the infected machines.
• It can also reset the Windows System Service Dispatch Table (SSDT)
• It affects your System Performance as well as functionality.

Recommended Actions

• Always update your anti-virus software with the latest releases.
• Ensure that your devices are always up-to-date with the latest patches released.
• Avoid Opening emails & attachments from unknown senders.
• Run a periodic Full system scan.