The Gh0st malware is a widely used remote administration tool (RAT) that originated in China in the early 2000s. It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet. Musical Chairs is a multi-year campaign which recently deployed a new variant Gh0st we’ve named “Piano Gh0st.”

Our evidence suggests the actors behind these attacks have been operating for over five years and have maintained a single command and control server for almost two. They use compromised e-mail accounts to distribute their malware widely and their targeting appears opportunistic rather than specific.

The overall motivation of this campaign is unclear at this time. Gh0st is very versatile as it allows an adversary to take complete control over the infected system including installing additional malware.

Tracking the Gh0st

Using Palo Alto Networks AutoFocus we have identified Gh0st variants associated with Musical Chairs leading back to mid 2013. The source code and building tools for Gh0st are available freely on the web; anyone who is so inclined can build their own version of the malware. The way researchers differentiate between most variants is based on their “magic tag.”

Gh0st uses a custom TCP protocol to connect to a command and control (C2) server and retrieve instructions from the attacker. The malware identifies itself to the server by sending a string of characters (the magic tag), which the server repeats back to confirm the connection (See Figure 1.)

In the original version this string was “Gh0st” but in subsequent versions many different strings are used. These strings, along with the actual location of the command and control server (domain and/or IP address) allow us to associate various Gh0st samples with a single attacker or group. In 2011, Norman released a paper that showed many clusters of Gh0st samples that were connected based on these tags.

Figure 1. Gh0st “magic tag” value sent over custom TCP protocol

Using these tags in the network traffic, the command and control infrastructure and other characteristics of the attacks, we have grouped together a series of attacks into the one campaign, named Musical Chairs.

The functionality of Gh0stRat (3.6) is well documented by multiple sources and is summarized below:

Keylogging

Remote terminal access

Remote audio and video access

File management

Remote file download and execution

Process explorer and additional system enumeration capabilities

GUI interaction (remote control)

Self Update

Reset of SSDT to remove existing hooks

Spreading the Gh0st

The Gh0st variants used in the Musical Chairs campaign are distributed using phishing e-mails. The threat actors behind the attacks use a “shotgun” approach, blasting e-mails to as many recipients as possible in hopes of tricking a small percentage of targets into opening the attack. The attackers generally do not rely upon any vulnerability exploitation, and instead rely on the user to open the attached executable to compromise their system. Additionally, the phishing messages are sent from US-based residential ISP e-mail addresses. The accounts themselves appear to be legitimate, and are likely also compromised by this actor. In many cases the phishing e-mails are sent indiscriminately to all e-mail addresses in an infected user’s address book, including “no-reply” addresses a human operator would know to ignore.

While Gh0st itself does not have built in e-mailing components, it is also possible that an additional payload is responsible for the propagation via e-mail.

The following list contains known filenames of attachments used in the delivery stage of the Musical Chairs campaign:

“Pleasantly Surprised.exe”

“Beautiful Girls.exe”

“Sexy Girls.exe”

“gift card.exe”

“amazon gift card.pdf.exe”

The subject of the e-mails carrying these files typically matches the filename itself and does not contain any sophisticated attempts at social engineering. The attacks detected thus far by Palo Alto Networks WildFire have been exclusively in the United States and do not appear to target any particular industry.

Infrastructure

The infrastructure used in Musical Chairs stands out primarily due to its longevity and use of multiple Gh0st command servers on the same host. At the center of the infrastructure for the last two years is a Windows 2003 server using the IP address 98.126.67.114. The server uses a US-based IP address, but displays a Chinese language interface for Remote Desktop connections.

Figure 2. Chinese language Windows Server 2003 login banner on Gh0st C2

Thus far Unit 42 has identified 32 different Gh0st samples connecting to this server dating back to July of 2013. The Gh0st C2 software operates on Windows and allows the attacker to specify which port it should listen on for connections from infected systems. The attacker may host multiple Gh0st C2s on this server at one time, or may change the hosting TCP port very frequently. The 32 samples we have identified connect to 19 different TCP ports.

First Seen Gh0st TCP Port 7/18/13 10003 9/4/13 10009 9/4/13 10008 9/14/13 10004 10/15/13 10004 11/21/13 20004 11/28/13 20001 1/2/14 40000 1/2/14 40000 1/9/14 20004 1/29/14 10008 3/17/14 30001 4/17/14 8001 4/22/14 8001 7/14/14 10005 8/18/14 8003 9/10/14 9000 9/19/14 9000 10/27/14 10006 2/20/15 9001 3/24/15 600 7/13/15 200 7/15/15 200 7/15/15 200 7/17/15 200 7/21/15 200 7/21/15 201 7/22/15 201 7/29/15 201 8/10/15 203 8/18/15 204 8/20/15 204

While 98.126.67.114 is the longest standing command and control server, it is not the only server used by Musical Chairs. The malware typically finds this server using a domain that is registered by the attacker and the registration information used by these C2 domains has allowed us to identify additional infrastructure used in these attacks.

Figure 3. Diagram of relationships between Musical Chairs C2 domains and related infrastructure

These many related domains put the approximate start date of this campaign in 2010. The earliest versions of the attacks we’ve found are still visible in e-mail groups and public Facebook postings. Figure 4 shows an e-mail with the subject “my girlfriend’s self-view video” that contains a link to an executable hosted on nvzm.info, one of the domains associated with the Musical Chairs infrastructure.

Figure 4. Screenshot of e-mail linking to nvzm[.]info using a “self-view video” theme.

The image below shows a Facebook post from 2012 with a similar theme and a different link to a URL that is also part of the same infrastructure map.

Figure 5. Screenshot of Facebook posting including a different “video” theme.

Finally, we located a user who posted to the Gmail Help forum in 2010 requesting assistance with ridding their system of malware. He states that all of his contacts received one of the “self-view” phishing e-mails after his system was compromised.

Figure 6. Screenshot of request on Gmail help forums related to “self-view” video e-mails.

While we have not been able to identify the specific malware used to distribute these spam messages, the infrastructure and the themes used in the e-mails connect them directly back to Musical Chairs happening this year.

Piano Gh0st

In July, Musical Chairs began deploying a new variant of Gh0st, which we’ve named “Piano Gh0st.” This variant uses a new wrapper file to hide the Gh0st payload. The files are delivered as a self-extracting executable (SFW) that acts as the dropper. It is responsible for extracting its payload to “c:\microsoft\lib\ke\Piano.dll” and executes the “mystart” function within the DLL’s export address table (EAT) using rundll32.exe.

Figure 7. Screenshot of calls observed by Palo Alto Wildfire from within the AutoFocus interface.

The “Piano.dll” file itself has very little functionality other than decrypting, loading and running an embedded DLL. It decrypts the embedded DLL using the Blowfish symmetric cipher with a simple key consisting of the character “y”. “Piano.dll” proceeds to load the newly decrypted DLL manually and calls the exported function “my start”. The decrypted DLL has the following attributes:

MD5: 8182a33cc1268c0c3b4e3d9a02d912c9

SHA256: 32026e702cff8fd3f113473ea2698eab0ca181aa2d0fd0e8802e31aa3befa94a

Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Size: 148008 bytes

Imphash: 9c01d71c9bf78d231a313c86540e284c

Compiled: 2015-07-14 02:11:32

Exports:

(0x123f0) mystart

This embedded DLL is the actor Gh0stRat Trojan, specifically version 3.6. The following debugging path is found within the DLL, which suggests the individual who compiled this DLL has a Chinese language pack (GB2312 specifically) installed:

C:\Documents and Settings\Administrator\桌面\GetRawInputData_dlll键盘记录版_win7bug改_网络验证_Mutext_LSPlayer_20150708\gh0st3.6\Server\svchost\Release\

The Trojan maintaings persistence on the infected system by creating an entry in the registry at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the key “nvidiake” and value “c:\microsoft\lib\ke\vv.js”, as seen in Figure 8.

Figure 8. AutoFocus view of registry key modifications made by Piano Gh0st to maintain persistence through system reboots

The file “vv.js” in the registry key is a simple one-line JavaScript that executes the “vvv.bat” file, as seen in the following:

new ActiveXObject('Wscript.Shell').Run('cmd /c c:\\microsoft\\lib\\ke\\vvv.bat',0); 1 new ActiveXObject ( 'Wscript.Shell' ) . Run ( 'cmd /c c:\\microsoft\\lib\\ke\\vvv.bat' , 0 ) ;

The ‘vvv.bat’ file is a batch file that executes the Piano.dll payload in the same way as the initial dropper, using “rundll32.exe” to call the “mystart” exported function, as seen in the following:

rundll32.exe c:\microsoft\lib\ke\Piano.dll mystart 1 rundll32 . exe c : \ microsoft \ lib \ ke \ Piano . dll mystart

After setting up the registry keys for persistence, the Gh0stRat sample begins communicating with its command and control server using a custom network protocol. The magic tag used by this version of Gh0st is “clarkclar1” as seen in Figure 9. This variant also communicated with a command and control server using the domain www.meitanjiaoyiwang[.]com, which is hosted by 98.126.67.114 on tcp port 200.

Figure 9. Screenshot of Piano Gh0st variant using the “clarkclar1” magic tag.

Detection and Prevention

Palo Alto Networks WildFire detected the Gh0st malware, including the Piano Gh0st variant, as malicious based on the behavior the attack files exhibit on an infected system.

Additionally, we have deployed threat prevention signatures to detect Piano Gh0st alongside our previously deployed signatures for earlier Gh0st variants. AutoFocus users can find more information about this threat using the MusicalChairs tag.

The following indicators identify attacks using Piano Gh0st and the Musical Chairs campaign.