PLAYFULGHOST Malware
Cybersecurity experts have identified a newly emerging threat dubbed PLAYFULGHOST, a backdoor equipped with a broad spectrum of information-harvesting functions. This includes keylogging, screen and audio capture, remote shell access and file transfer or execution capabilities.
Table of Contents
A Connection to the Gh0st RAT
PLAYFULGHOST exhibits functional similarities with the Gh0st RAT, a well-known remote administration tool that became widely available after its source code was leaked in 2008. This suggests that the threat actors behind PLAYFULGHOST may have built upon the older tool's foundation while introducing enhancements to expand its capabilities.
Initial Infection Vectors
The threat actors behind PLAYFULGHOST employ multiple techniques to gain initial access to target systems. These include phishing campaigns that leverage code-of-conduct-related themes and SEO poisoning tactics to distribute trojanized versions of legitimate VPN applications such as LetsVPN.
In a phishing attack scenario, victims are tricked into opening a corrupted RAR archive that masquerades as an image file by using a misleading '.jpg' extension. When extracted and executed, the archive drops a harmful Windows executable, which then retrieves and launches PLAYFULGHOST from a remote server.
SEO poisoning, on the other hand, is used to lure unsuspecting users into downloading a compromised LetsVPN installer. Upon execution, this installer deploys an intermediary payload, which fetches and activates the backdoor's core components.
Advanced Evasion and Execution Tactics
PLAYFULGHOST relies on various stealth techniques to run away from detection and establish a foothold on compromised systems. These include DLL search order hijacking and DLL sideloading to introduce a compromised DLL, which then decrypts and injects the backdoor into memory.
In a more elaborate execution method, researchers observed the use of a Windows shortcut file ('QQLaunch.lnk'), which combines two additional files ('h' and 't') to generate a rogue DLL. This DLL is sideloaded through a renamed version of 'curl.exe,' ensuring a covert deployment of the backdoor.
Persistence and Data Collection
Once installed, PLAYFULGHOST establishes persistence on the infected system using multiple techniques. These include modifying the Windows registry (Run key), creating scheduled tasks, adding entries to the Windows Startup folder, and registering as a Windows service.
The backdoor's capabilities allow it to collect a wide array of sensitive information, including keystrokes, screenshots, audio recordings, clipboard data, details of installed security software, system metadata and QQ account credentials. Additionally, it can execute commands to disrupt user interactions by blocking keyboard and mouse inputs, tampering with event logs, and clearing clipboard content.
PLAYFULGHOST also exhibits file manipulation capabilities, enabling it to erase browser caches and profiles from applications such as Sogou, QQ, 360 Safety, Firefox and Google Chrome. It can further remove profiles and local storage associated with messaging platforms like Skype, Telegram and QQ.
Deployment of Additional Tools
Alongside PLAYFULGHOST, threat actors have been observed deploying supplementary tools to reinforce their control over infected systems. Among these are Mimikatz, a well-known credential-dumping tool, and a rootkit designed to conceal specific registry entries, files and processes. Additionally, an open-source utility called Terminator is introduced to disable security mechanisms through a Bring Your Own Vulnerable Driver (BYOVD) technique.
In at least one instance, PLAYFULGHOST has been embedded within BOOSTWAVE, a shellcode-based in-memory dropper that facilitates the deployment of appended Portable Executable (PE) payloads.
A Possible Target Demographic
The focus on applications such as Sogou, QQ, and 360 Safety, combined with the use of LetsVPN as a lure, suggests that this campaign primarily aims at Chinese-speaking Windows users. However, PLAYFULGHOST's advanced capabilities indicate a broader potential for exploitation beyond this specific demographic.
