Gh0stTimes Malware Description
The Gh0stTimes Malware is a threat leveraged in active campaigns against Japanese targets. The threat actor attributed to being responsible for the series of attacks that are still ongoing today is the BlackTech group. Alongside Gh0stTimes, various other payloads also have been spotted on the compromised systems, such as downloaders, backdoors, ELF Bifrose, Citrix exploit tool, MikroTik exploit tool and more.
Gh0stTimes' Malware Details
The threat appears to be a customized variant of a previously observed malware named Gh0st RAT with whole sections of code being identical between the two. However, the BlackTech hackers modified their version and equipped it with expanded functionality. The upgraded functions include a Command-and-Control (C2, C&C) server redirect and proxy capabilities.
Once deployed on the compromised device, Gh0stTimes grabs certain information about the host and attempts to establish a connection to its C2 server. The communication between the threat and its server infrastructure is encrypted. Gh0stTimes also contains sections of so-called dummy code that serve no meaningful function but is put there in an attempt to hamper analysis.
The Gh0stTimes threat recognizes several incoming commands. The most expansive one tells the malware to manipulate the file system on the infected device in a certain way, The attackers can open files, move files and directories, delete files, obtain file data, upload files and the gathered data, create folders and more. Gh0stTimes also allows the threat actor to run remote shell commands on the system.
The fact that the BlackTech attack operations are still going on means that companies should take the appropriate measures to detect and mitigate the group's malicious tools such as the Gh0stTimes malware.