Gh0st RAT has a new roommate. A new backdoor called ADDNEW has been discovered on machines infected with the Gh0st remote access Trojan, adding new distributed denial of service attack capabilities, as well as a feature that targets passwords and credentials stored on the Firefox browser.
Gh0st RAT is a notorious piece of malware having been used in the Aurora attacks on Google, Adobe and other large manufacturers and technology companies. Most recently, new variants of Gh0st were present in water-holing attacks called VOHO analyzed by RSA Security’s FirstWatch research team.
Attacking Windows machines, Gh0st is essentially espionage software with phone-home capabilities to a command-and-control server. Attackers can remotely control Gh0st-infected machines and drop additional malware such as keyloggers and other surveillance capabilities against high-value targets in industries such as finance, the government or military.
ADDNEW, meanwhile, is complementary malware, according to FireEye senior director of security research Zheng Bu. Both pieces of code communicate with the same command-and-control IP address (31.33.33.7) via different ports. Within a week of infecting a computer with Gh0st, ADDNEW was showing up on the same machine.
While most Gh0st infections connect to C&C servers in China, ADDNEW infections are connecting to an IP address in France. “Gh0st was developed, and has been mostly used, by China hackers,” Bu said. “But the Gh0st development team released the source code of multiple versions, so everyone can take it and modify.”
The DDoS capabilities appear to be similar to Russian malware known as DarkDDoSER, adding another layer of intrigue to this malware puzzle. Bu said FireEye has seen a DarkDDoSER code string in ADDNEW’s binary and the DDoS feature set is almost identical to DarkDDoSER.
Bu said there hasn’t been significant DDoS activity from ADDNEW yet, but added there have been infections reported from several industries including oil, chemical and telecommunications.
FireEye also said that when the ADDNEW binary is executed, it drops an executable called svchost and uses a custom protocol over TCP to receive instructions from the botmaster. It communicates whether it’s a first-time infection, what port it’s listening on and that it’s listening for further instruction.
ADDNEW is able to steal Firefox passwords by getting the path to the browser’s signons.sqlite database where credentials are stored. Its DDoS functionality includes UDP, SYN and HTTP flood commands.
Gh0stRAT is part of the Gh0stNet operation which dates back to 2009. Most of its C&C has been found in China and the malware has been used in attacks against sensitive government and military targets, as well as a high-profile incursion against the Dalai Lama’s computer network.
Most Gh0stNet attacks start with a phishing campaign which leads to a Gh0stRAT infection. Gh0stRAT links up with a C&C server and receives instructions and malware to conduct deeper attacks against targets.