Know Your Digital Enemy
On March 29, 2009, the Inormation Warare Monitor
(IWM) published a document titled
. This document details the extensiveinvestigative research surrounding the attack and compromise o computer systems owned by thePrivate Oce o the Dalai Lama, the Tibetan Government-in-Exile, and several other Tibetan enterprises.Ater 10 months o exhaustive investigative work, this team o talented cyber investigators identied thetool used to compromise victim systems—a sophisticated piece o malware named Gh0st RAT (RemoteAccess Terminal).On May 25, 2011, cyber investigator, orensic tool writer, and author Harlan Carvey, published ablogpostlisting some o his avorite orensic tools. In this post, Harlan reerred to an interesting, yet dated,websitethat described, in detail, the capabilities o the Gh0st RAT malware. This site, “xpl0it Analysis,”
even includes links to download a beta version (3.6) o the Gh0st RAT source code.As soon as I navigated to the stale “xpl0it Analysis” website and read the details o the Gh0st RATmalware, I became very interested in learning more about it. Even though the links to the Gh0stBeta source code on the xpl0it Analysis site were removed long ago, I was able to nd a copy o itsomewhere on the Internet and decided to analyze it.Examination o the Gh0st RAT source code revealed that it is a derivative o the same code used to createthe RAT binaries described in the IWM research paper and the xpl0it Analysis website. Unortunately, thecode base would not compile due to numerous coding bugs and missing dependencies.Ater many weeks o work, I was able to correct hundreds o bugs in the source code which allowed meto build a working version o Gh0st RAT Beta 3.6. Although I converted the resource text labels romChinese to English, the base source code was let intact.This document describes what I learned during my analysis o the Gh0st RAT source code. I describe ingreat detail how the multiple binaries work together, the extensive capabilities o the malware, and thestructure o the source code tree. I also explore how the malware compromises a host, its obuscationand encryption methods, and how it communicates. Finally, I provide some tips on how to identiy a hostcompromised by the RAT and how to deend against it.Even though this Gh0st RAT contains source code dating back to 2001, the lessons we can learn romit are very relevant today. In early 2011, McAee Foundstone and McAee researchers identied a Gh0stRAT, very similar to the one described in this paper, that was used to attack large corporations in the oiland gas industry. This investigation, known asNight Dragon,is described in a separate white paper.
The use o RAT tools by cybercriminals continues because they are very ecient and powerul. They arelightweight and provide complete remote control access to a compromised host. The command andcontrol (C2) component can manage thousands o compromised hosts. Understanding how these toolswork is critical i we want to understand the threat and put in place countermeasures to deend againsttheir use.
Gh0st RAT Overview
I you are not amiliar with the technical capabilities o a Gh0st RAT, in this section I show the actualoperation o a RAT using screen shots. There are two main components o a Gh0st RAT system: theclient and the server.The server is a small Microsot Windows DLL that runs on a compromised host. It runs as a Windowsservice and starts up when the system starts. Upon startup, it connects and “checks in” to a C2 clientand awaits urther instructions.