HiddenGh0st Malware Attacking MS-SQL & MySQL Servers
A faraway preserve watch over malware called Gh0st RAT, which is smartly liked by Chinese threat actors and has publicly on hand source code turned into created by China’s C. Rufus Security Physique of workers.
ASEC (AhnLab Security Emergency Response Center) finds the Gh0st RAT variant the utilization of a Hidden rootkit to aim MS-SQL servers, hiding malware presence and preventing its removal.
The HiddenGh0st is a Gh0st RAT variant with QQ Messenger knowledge theft capabilities that own persisted since 2022 and are likely to aim Chinese customers.
Cybersecurity researchers at ASEC no longer too long within the past reported that HiddenGh0st malware actively targets and assaults poorly managed MS-SQL and MySQL servers.
Hackers Attacking MS-SQL & MySQL Servers
HiddenGh0st evades detection by packing, decrypting, and executing its PE file in memory whereas transmitting 0x848-sized configuration knowledge.
Moreover this, it covers the next issues:-
- C&C URL
- Installation ability
- Route
- File name
- Rootkit activation
Deactivated alternate choices within the configuration knowledge, esteem the downloader thread’s URL, can own precipitated exterior malware downloads.
Deploy Superior AI-Powered Email Security Resolution
Enforcing AI-Powered Email security solutions “Trustifi” can exact your industry from these days’s most unhealthy electronic mail threats, corresponding to Email Tracking, Blockading, Making improvements to, Phishing, Story Steal Over, Industrial Email Compromise, Malware & Ransomware
One other likelihood fetches the infected machine’s public IP contend with from http[:]//www[.]taobao[.]com/abet/getip[.]php when enabled, sending it to the C&C server.
The configured ‘Service’ mode in HKLMSYSTEMMake a choice saves set up time as ‘MarkTime’ and sets HiddenGh0st as a provider, launching it with ‘-auto’ argument.
The configuration specifies dummy knowledge size, appending 0x00800000-sized knowledge. After that, the new file is deleted, and HiddenGh0st relaunches as a provider with ‘-acsi’ argument.
Configured ‘Startup Folder’ mode in HKLMSYSTEMMake a choice stores set up time in ‘MarkTime,’ then HiddenGh0st copies itself the utilization of DefineDosDeviceA() API.
After that, it creates a symbolic hyperlink ‘.agmkis2,’ adds dummy knowledge, then runs the copied malware, and deletes the new one.
Silent Data
Right here below, we own now talked about your entire quiet knowledge:-
- 0x66
- Home windows version knowledge
- CPU tempo
- Different of CPUs
- Public IP contend with
- Private IP contend with
- Host name of the infected machine
- Different of webcams
- Net connection prolong time
- Community interface tempo
- Reminiscence capability
- Native disk capability
- “Default” string (decrypted from the configuration knowledge) or the “5750b8de793d50a8f9eaa777adbf58d4” worth of the BITS registry
- Arrangement boot time
- “1.0” (version)
- Checklist of installed security products
- Wow64 availability
- Malware set up time (MarkTime)
- Logged in QQ Messenger number
- Whether 3 minutes has handed for the explanation that closing key enter
- Net connection situation (MODEM, LAN, PROXY)
Security product data gathered by scanning project names for explicit key phrases:-
“360tray.exe”, “360sd.exe”, “kxetray.exe”, “KSafeTray.exe”, “QQPCRTP.exe” ,”HipsTray.exe” ,”BaiduSd.exe” ,”baiduSafeTray.exe” ,”KvMonXP.exe” ,”RavMonD.exe” ,”QUHLPSVC.EXE” ,”QuickHeal” ,”mssecess.exe” ,”cfp.exe”, “SPIDer.exe”, “DR.WEB”, “acs.exe”, “Outpost”, “V3Svc.exe” ,”AYAgent.aye” ,”avgwdsvc.exe” ,”AVG” ,”f-secure.exe” ,”F-Secure” ,”avp.exe” ,”Mcshield.exe”, “NOD32”, “knsdtray.exe”, “TMBMSRV.exe”, “avcenter.exe”, “ashDisp.exe” ,”rtvscan.exe” ,”remupd.exe” ,”vsserv.exe”, “BitDefender”, “PSafeSysTray.exe”, “ad-watch.exe”, “K7TSecurity.exe”, “UnThreat.exe”, “UnThreat”
HiddenGh0st extends usual Gh0st RAT aspects, including version data “1.0” and identifier “Default” from config knowledge. Activated keylogger saves knowledge as “6gkIBfkS+qY=.key” in %SystemDirectory%.
Furthermore, HiddenGh0st does the next issues to ship the extracted knowledge to the C&C server:-
- Installs Mimikatz
- Extracts yarn credentials
Defend MS-SQL servers from brute pressure assaults with strong passwords, accepted adjustments, and updated security tools esteem firewalls to block exterior threats and forestall ongoing infections.
IOCs
MD5
- 69cafef1e25734dea3ade462fead3cc9: HiddenGh0st
- 0d92b5f7a0f338472d59c5f2208475a3: Hidden x86 Rootkit (QAssist.sys)
- 4e34c068e764ad0ff0cb58bc4f143197: Hidden x64 Rootkit (QAssist.sys)
C&C
- leifenghackyuankong.e3.luyouxia[.]win:14688
Source credit : cybersecuritynews.com