VPN with surprise
by 11ndra - Thursday January 9, 2025 at 04:06 AM
#1
3rd translated thread. article was announced 6th January 2025.

How freeware protection turned into a hunt for users' passwords.

Cybersecurity researchers have discovered a new malware called PLAYFULGHOST that has extensive information gathering capabilities. It includes keylogging, screen and audio capture, remote access via command line, and file transfer with execution.
According to the Google Cloud Security team, this malware shares similarities with Gh0st RAT, a well-known remote administration tool whose source code was disclosed back in 2008. The main infection paths for PLAYFULGHOST are phishing emails and SEO spoofing.

According to the Google Cloud Security team, this malware shares similarities with Gh0st RAT, a well-known remote administration tool whose source code was disclosed back in 2008. The main infection paths for PLAYFULGHOST are phishing emails and SEO spoofing.
In one of the phishing cases, the attackers used a RAR archive disguised as an image with a “.jpg” extension. Once extracted and run, the archive downloads a malicious executable to the device, which eventually downloads and activates PLAYFULGHOST from a remote server.
Another infection method via SEO spoofing involves downloading the LetsVPN installer, which contains intermediate malicious code responsible for installing malware components.

To execute the attack, attackers use techniques such DLL Hijacking and DLL Sideloading to launch a malicious library that loads and decrypts PLAYFULGHOST in device memory. In complex scenarios, a combination of multiple files is executed to form a malicious DLL using a modified version of the Curl utility.
PLAYFULGHOST becomes entrenched in the system via registry keys, task scheduler, autoboot folder, and Windows services. The malware is capable of collecting keystroke data, screenshots, audio, account information, clipboard contents, system metadata and installed antivirus products. It can also block keyboard and mouse input, clear Windows event logs, delete browser cache, messenger profiles and perform other dangerous operations.

just FYI for someone who's not familiar with specific types of attack:

Quote:DLL Sideloading - hijacking the DLL that a program loads. Instead of simply installing the DLL in the program's search order and then waiting for the victim application to be invoked, the attacker directly loads its payload by installing and then running a legitimate application that executes its payload.
DLL Hijacking is an attack that involves replacing a legitimate DLL file with a malicious library. The delivery of a third-party component can be done through a special loader injected into the system or through user files processed by a program that uses the library. The goal of the attack is to execute third-party code in the environment of a compromised application.

PLAYFULGHOST gains a permanent presence on the system via registry keys, task scheduler, autoboot folder, and Windows services. The malware is capable of collecting keystroke data, screenshots, audio, account information, clipboard contents, system metadata and installed antivirus products. It can also block keyboard and mouse input, clear Windows event logs, delete browser cache, messenger profiles and perform other dangerous operations.

In addition, PLAYFULGHOST can distribute additional tools, including Mimikatz and rootkits that hide files and processes. One such tool is Terminator, which exploits driver vulnerabilities to kill security processes. At one stage of the analysis, experts recorded that PLAYFULGHOST is spreading with the BOOSTWAVE downloader, which uses shell code to inject malicious executables.

Targeted apps such as Sogou, QQ and 360 Safety, as well as decoys in the form of LetsVPN indicate a possible focus on Chinese-speaking Windows users. Previously, in July 2024, Canada-based eSentire reported similar malicious operations where fake Google Chrome installers were used to spread Gh0st RAT.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  We will make a surprise for Indonesia TheL7Trap 0 439 06-05-2024, 01:26 AM
Last Post: TheL7Trap

Forum Jump:


 Users browsing this thread: 1 Guest(s)