Security News > 2024 > July > Gh0st RAT Trojan Targets Chinese Windows Users via Fake Chrome Site

The remote access trojan known as Gh0st RAT has been observed being delivered by an "Evasive dropper" called Gh0stGambit as part of a drive-by download scheme targeting Chinese-speaking Windows users.

These infections stem from a fake website serving malicious installer packages masquerading as Google's Chrome browser, indicating that users searching for the software on the web are being singled out.

Gh0st RAT is a long-standing malware that has been observed in the wild since 2008, manifesting in the form of different variants over the years in campaigns primarily orchestrated by China-nexus cyberespionage groups.

The dropper, in turn, checks for the presence of security software before establishing contact with a command-and-control server in order to retrieve Gh0st RAT. "Gh0st RAT is written in C++ and has many features, including terminating processes, removing files, capturing audio and screenshots, remote command execution, keylogging, data exfiltration, hiding registry, files, and directories via the rootkit capabilities, and many more," eSentire said.

The Canadian company said the artifact shares overlaps with a Gh0st RAT variant tracked by the AhnLab Security Intelligence Center under the moniker HiddenGh0st.

"The recent findings highlight the distribution of this threat via drive-by downloads, deceiving users into downloading a malicious Chrome installer from a deceptive website."

News URL

https://thehackernews.com/2024/07/gh0st-rat-trojan-targets-chinese.html