🚨 Attackers abuse #LOLBin to execute payloads without triggering alerts. The real challenge for SOC teams is spotting this behavior early before it escalates into a full incident.

👾 See rundll32 abuse delivering #Gh0stRAT exposed in real time: https://app.any.run/tasks/c00a5ca2-7fc2-4e59-b3d2-1f45d55a03ab/?utm_source=mastodon&utm_medium=post&utm_campaign=LOLBin_attacks_case&utm_term=241125&utm_content=linktoservice
📚 Read the report to learn how to spot LOLBin abuse techniques with interactive analysis: https://any.run/cybersecurity-blog/lolbin-attacks-soc-detection-guide/?utm_source=mastodon&utm_medium=post&utm_campaign=LOLBin_attacks_case&utm_term=241125&utm_content=linktoblog

#cybersecurity #infosec

Happy Wednesday everyone!

#GodRAT is a new remote trojan that is targeting financial institutions as reported by Kaspersky. According to their analysis, GodRAT is based on the #Gh0stRAT codebase and uses steganography to evade detection. It supports additional plugins that are used to explore the victim's systems, deploy browser password stealers, and during the attack they even deployed the #AsyncRAT as a backup to maintain access.

Looking at two password stealer payloads, it can give us some ideas of where to begin a hunt focused on this threat: Both the Chrome and MS Edge password stealer added an executable to the path %ALLUSERSPROFILE%\google\ and named them after the browser they were after ("chrome.exe" and "msedge.exe" respectfully). An interesting hunt would be to look at new executables added to this directory OR hunt for executables that may be masquerading as browser related executables! However you do it, get hunting!

GodRAT – New RAT targeting financial institutions
https://securelist.com/godrat/117119/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #IntelDriveThreatHunting

🚨 Cyberattackers are using a vulnerable Windows driver to evade detection and deliver the #Gh0stRAT malware.

Thousands of modified driver variants, including RogueKiller’s truesight.sys, are now actively bypassing defenses. #MalwareAttacks #CyberAttacks https://thehackernews.com/2025/02/2500-truesightsys-driver-variants.html

This is a destructive OPSEC failure.
PoC code is trivial to find along with a simple Censys query to uncover vulnerable hosts. The code itself supports a TXT file of URLs so....spray and pray method to find targets. Certain campaigns used #XMRig, GoThief, and backdoors like #Gh0stRAT and #PlugX.

It should go without saying to not make your file servers open to the public but some didn't get the memo.
#HFS #CVE202423692 #ThreatIntel

https://asec.ahnlab.com/en/67650/

"👾 HiddenGh0st Malware: A Silent Menace to MS-SQL Servers 🖥️"

The HiddenGh0st malware, a variant of the notorious Gh0st RAT, has been wreaking havoc on MS-SQL servers. Developed by the C. Rufus Security Team from China, this malware has evolved, now deploying an open-source rootkit named Hidden to ensure its stealth and persistence on infected systems. The malware is distributed in a packed state to evade detection, and once unpacked, it communicates with its C&C server, receiving commands to execute various malicious activities. It's capable of keylogging, stealing account credentials via Mimikatz, and even enabling remote desktop for further exploitation. The primary targets appear to be Chinese users, given the malware's specific focus on QQ Messenger data exfiltration. The detailed analysis by AhnLab's ASEC provides a deep dive into its nefarious functionalities and the threat it poses to poorly managed MS-SQL servers.

Source: ASEC Blog

Tags: #HiddenGh0st #Gh0stRAT #MSSQL #Cybersecurity #MalwareAnalysis #Rootkit #ChineseCyberThreats #InfoSec #AhnLab 🇨🇳🔐🖥️

While Gh0st RAT has been extensively used in various cyber campaigns linked to China over the years, the emergence of ValleyRAT suggests that it may see wider deployment in the future.

#Cybersecurity #Malware #Phishing #Trojan #Gh0stRAT #ValleyRAT

https://cybersec84.wordpress.com/2023/09/20/new-phishing-campaign-targets-chinese-users-with-valleyrat-and-gh0st-rat/