New GhostAdmin Malware Detected Being Utilized For Data Theft and Exfiltration

 

Recently a new member of the ‘botnet malware’ category, dubbed as ‘GhostAdmin‘ is detected. It has been spotted as a reworked version of CrimeScene (i.e., another botnet malware family reported active around 3-4 years ago) by security researcher, including potential of compromising computer systems and enabling crooks to take complete control of these system’s utilizing commands sent through an IRC channel. Being already used to target two companies and sniff hundreds of GBs of stuff, this threat has been reported already spreaded and exploited in live attacks.

Spammers control GhostAdmin Victims Through IRC Commands

Being scripted in C# ‘GhostAdmin‘ has been identified at version 2.0. Alike various other threatening malware infections, the aforementioned ones also obtains silent intrusion inside the PC without seeking the user’s approval. It once loaded, wreaks havoc on the system via compromising the entire PC badly, acquiring boot persistence and establishing a communications channel with it’s command and control (C&C) server, that is actually an IRC channel. Furthermore, the malware developers makes access to this IRC channel and issue commands that is then later on picked up by all the connected bots (i.e., compromised systems).

Following the successful establishment of above discussed channel, the malware makes itself capable of easily making interaction with the victim’s filesystem, browsing to specific URLs, downloading and implementing new files, recording audios, exfiltrating data, taking screenshots, interacting with local databases, wiping browsing history etc.

A complete list of available commands is shown via the image shown below :

Researches reveals that GhostAdmin had been specially crafted for the purpose of collecting stuff from the compromised PC and transferring it to the remote server regarding several vicious purposes. GhostAdmin has been identified working on the basis of a configuration file. According to researches, among the settings stored in this particular file, there are two files namely FTP credentials and email credentials, where FTP credentials have been specified for the server where all the sniffed stuff is uploaded and email credentials are utilized for the purpose of sending an email to the GhostAdmin author every time whensoever a victim implements his malware and transfers error reports.

 

GhostAdmin source code: Function to send an email when infecting new host

GhostAdmin source code: Function to send an email when malware execution generates an error

According to security experts, this version of malware has been compiled by a user having nickname ‘Jarad’. He likewise it’s several predecessors, compromised his own system. Utilizing the FTP credentials detected in the malware’s configuration file, the experts found screenshots of GhostAdmin author’s desktop on the FTP server. Moreover, the researcher has also been found on the same server appearing of being stolen from GhostAdmin victims (including an Internet cafe, a lottery company).

The botnet’s IRC channel i.e., GhostAdmin has been reported including only around ten bots (i.e., an approximate victims headcount) which is undoubtedly very low as compared to several other botnet malware families. Now though currently, GhostAdmin is owning low memberm but the chances are high that the member can grow to those figure as well, in a case if it’s author ever desired to run a spam botnet such as Andromeda and Necurs.

Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar