GhostAdmin

By CagedTech in Backdoors

Threat Scorecard

Threat Level: 60 % (Medium)
Infected Computers: 2
First Seen: January 18, 2017
Last Seen: May 13, 2020
OS(es) Affected: Windows

GhostAdmin is a threat infection that is used to collect data and infiltrate the victims' computers. Third parties can take control of a computer infected with GhostAdmin. Commands can be sent to the infected computers by using IRC. GhostAdmin integrates the infected computers into a botnet, a vast network of infected computers that can then be used to carry out coordinated attacks, such as a sending out spam emails or carrying out DDoS (Distributed Denial of Service) attacks. GhostAdmin is already in active distribution and has been used in at least two attacks. GhostAdmin has already been used to collect large quantities of data from two businesses.

The GhostAdmin Infection

Malware researchers have studied the GhostAdmin's code and have determined that is an updated version of CrimeScene, a botnet family that was active in 2012 and 2013. GhostAdmin is improved from this predecessor substantially, however. Currently, GhostAdmin is in version 2.0. GhostAdmin is written in C#. During its attack, GhostAdmin gains boot persistence, meaning that it remains active even if the infected computer restarts. It establishes communications with its command and control server through a particular IRC channel. The people controlling GhostAdmin can use this IRC channel to send commands that will be sent to all of the connected bots, a term used to refer to computers infected with the botnet threat.

What GhostAdmin can Do on an Infected computer

GhostAdmin can be used to interact with the infected computer's file system, copying, moving and deleting data. GhostAdmin also can browse the Web from the infected computer, download files and run them on the infected computer, and access the infected computer's history and settings. GhostAdmin also may be used to monitor the infected computer and is capable of taking screenshots, recording audio, and a wide variety of other functions. The main purpose for which GhostAdmin is being used currently is to collect data from the infected computers. These people gather data from the infected computer using GhostAdmin and then send this data to a Command and Control server using FTP to upload the data to a remote server. The FTP credentials are stored in GhostAdmin's configuration file, as well as an email address that is sent to contact the GhostAdmin's author.

Tracking GhostAdmin’s Origins

PC security analysts suspect that GhostAdmin was created by a user going by the name 'Jarad.' PC security researchers have managed to infiltrate the GhostAdmin's FTP server using the FTP credentials found in the GhostAdmin's configuration files, tracking information about Jarad's computer, as well as finding files taken from the GhostAdmin's victims. PC security researchers uncovered data collected in a lottery company and an Internet provider, from whom more than 360 GB of data had been gathered. GhostAdmin was used to collect a database containing information from the lottery company. At the time of this writing, GhostAdmin's IRC channel seems to have ten active bots only, which correspond to the current victims of this attack.

Most botnet families require thousands or even millions of bots to carry out effective attacks. This makes it obvious that GhostAdmin is just in its first steps. However, the fact that GhostAdmin's FTP credentials and other crucial data were able to be recovered from GhostAdmin's code makes it appear that Jarad is not a particularly sophisticated malware developer and, in fact, GhostAdmin does seem to be a step behind other, more advanced botnet threats in sophistication and potential of the attack. Regardless, PC security analysts strongly advise computer users to take precautions against GhostAdmin. It is important to install a reliable security program that is fully up-to-date and capable of detecting these threats.

SpyHunter Detects & Remove GhostAdmin

File System Details

GhostAdmin may create the following file(s):
# File Name MD5 Detections
1. file.exe 219ba2ee0bcdb23bf89079ac97730d57 1
2. file.exe b7cd29cfc8c2a3c26493c80ea0a6ffb6 0
3. file.exe 7a2a5b88b8331732e5bf0e0e1c6d54e8 0
4. file.exe 62c47ae826413abcf87df611d699ad6e 0
5. file.exe 80efaf603cbc72e855457fc727b281af 0

Trending

Most Viewed

Loading...