Gh0st RAT is the trojan linked to Gh0stNet, a cyber espionage network largely reporting to C&C servers in China. Recruitment to the Gh0stNet has in the past mainly been achieved by targeted emails carrying a malicious attachment that drops a trojan that can download the Gh0st RAT, which then allows its controllers to gain complete real-time control of infected Windows computers. In a March 2009 report, Shishir Nagaraja and Ross Anderson of the University of Cambridge Computer Laboratory concluded that the Gh0stNet intrusion into the computers of the Dalai Lama was effected by ‘agents of the Chinese government.’ “They used social phishing to install rootkits on a number of machines and then downloaded sensitive data,” says their report.
The Chinese connection of Gh0st RAT makes the new finding published by FireEye today all the more surprising. FireEye had been conducting further research on Gh0st RAT infections when it “identified another interesting piece of malware” that it found co-existing with Gh0st on a number of different machines, and “even talking to the same CnC IP (126.96.36.199) using different ports.” This particular C&C server is in France rather than China.
The new malware has been dubbed backdoor.ADDNEW. It has a number of key functions, such as the ability to steal stored Firefox passwords (which it does by getting the path to the signons.sqlite database), and also acting as a DDoS agent (with UDP, SYN and HTTP Flood mechanisms). It is based on the Russian malware, DaRK DDoSer – which makes any relationship with the suspected Chinese Gh0st RAT all the more interesting. But FireEye has certainly found such a connection. “We saw the machines getting infected with Gh0st within one week of them getting infected with ADDNEW,” note the FireEye researcher, Vinay Pidathala. “The machines used the ‘Gh0st’ magic keyword to beacon back to their CnCs.”
Some of the commands in ADDNEW need further research to unravel their functions, but “there are strings in the binary referencing ‘DarkDDOSER’,” writes Pidathala. “One can only speculate if in some way ‘DarkDdoser’ and the Gh0st RAT complement each other.”