Stratos Ally

Fake Chrome sites are being used to deliver Gh0st RAT Trojans

Picture of StratosAlly

StratosAlly

Fake Chrome sites are being used to deliver Gh0st RAT Trojans.

Security experts have found a new way by which threat actors spread the notorious Gh0st RAT. This remote Access Trojan has caused problems for systems since 2008. Now, it is being spread through a smart drive-by download trick. It uses a dropper called Gh0stGambit and targets Chinese-speaking Windows users. 

The attackers behind this plan have made a fake website that looks just like Google Chrome’s download page. People looking for this browser might fall into this trap and download malicious files without knowing. When users download what they think is Chrome, they get two files: a real Chrome setup and a harmful package named “WindowsProgram.msi”. This tricky setup starts a chain of events that ends up putting Gh0st RAT on the victim’s computer. 

Research by eSentire shows that Gh0st RAT, made with C++, can do many detrimental things. It can shut down processes, erase files, record audio, take screenshots, log keystrokes, and use rootkit tricks to hide itself. The malware can also use extra tools like Mimikatz, change remote desktop settings, and steal data from various Chinese web browsers. 

It’s worth noting that this version of Gh0st RAT has things in common with another type called HiddenGh0st, which the AhnLab Security Intelligence Center looked at before. 

An eSentire spokesperson stressed how crucial it is to educate users. They pointed out that this new way of spreading malware shows that drive-by downloads still work well. This means we need to keep training people about security risks. 

In a different but connected event, Symantec’s team has seen more phishing attempts that might use AI-made code. These tricky attacks are sending out various dangerous files, like Rhadamanthys and NetSupport RAT. 

As online threats keep changing and getting smarter, both regular people and security experts need to stay alert. It’s getting harder to tell the difference between real software and harmful code. This means we need to stay aware and have strong security measures in place. 

more Related articles