Gh0st variants are prolific as they can be found in a popular open-source source code repository - this blog provides the basis for our association with the actor. The sample appears to be delivered via an email according to artifacts provided by malware-traffic-analysis, which is consistent with documented tactics for this group. Using details from that report, ASERT has identified a new sample and more interestingly, a new domain that we have associated with the corresponding actor. Multiple articles have been written about Gh0st over the years, including this one discussing the Musical Chairs campaign's use of this RAT. With moderate confidence, ASERT expects this domain to be used in new intrusions.
This long-standing actor is known for maintaining static command-and-control infrastructure such as domains for long periods of time, even when they have been discovered and widely publicized in the community.ASERT has discovered a new domain associated with the actors behind the Musical Chairs campaign.Uniquely in our observation, they have even embedded a fully-functional version of the game Tetris that will launch only when a special condition is meet. The actors are known for the longevity of their C2 domains, reusing them long after they have been identified, and for making use of a popular opened sourced RAT called Gh0st. IntroductionĪSERT has discovered new command-and-control infrastructure controlled by the actors behind the Musical Chairs campaign. We thank the research team at Palo Alto Networks for graciously bringing this to our attention. This version removes the association with the APT group responsible for the Night Dragon campaign that we had incorrectly made. February 20, 2018: This blog has been amended since it was originally published on February 15, 2018.