Have you been haunted by the Gh0st RAT today?
March 23, 2017
If you run certain network monitoring and security appliances, you may have had a few small heart attacks today. Organizations all around the world are receiving alerts that they may have a system that is infected with the Gh0st remote access trojan (RAT). Making things worse is that it will likely appear that it is a server that is infected. The good news is there is a very strong chance the alerting is a false positive. There is likely nothing malicious going on and all your need to do is tune your signatures.
It turns out that Shodan is doing scans across the Internet in what appears to be an attempt to identify Gh0st RAT command and control (C2) servers. If you are not familiar with Gh0st, it’s a full featured RAT that sends a packet flag that is typically shared by the command and control server. The default packet flag, of which there are many variations, is none other than Gh0st. It may not actually be necessary to send the correct string to get a Gh0st C2 server to respond, but it can’t hurt the effort. In the cases that Volexity has observed thus far, Shodan is sending the following:
0000000: 4768 3073 74ad 0000 00e0 0000 0078 9c4b Gh0st……..x.K
0000010: 5360 6098 c3c0 c0c0 06c4 8c40 bc51 9681 S“……..@.Q..
0000020: 8109 4807 a716 9565 26a7 2a04 2426 672b ..H….e&.*.$&g+
0000030: 1832 94f6 b030 30ac a872 6300 0111 a082 .2…00..rc…..
0000040: 1f5c 6026 83c7 4b37 8619 e56e 0c39 956e .\`&..K7…n.9.n
0000050: 0c3b 840f 33ac e873 6368 a85e cf34 274a .;..3..sch.^.4’J
0000060: 97a9 82e3 30c3 9168 5d26 90f8 ce97 53cb ….0..h]&….S.
0000070: 4134 4c3f 323d e1c4 9286 0b40 f560 0c54 A4L?2=…..@.`.T
0000080: 1fae af5d 0a72 0b03 23a3 dc02 7e06 8603 …].r..#…~…
0000090: 2b18 6dc2 3dfd 7443 2c43 fd4c 3c3c 3d3d +.m.=.tC,C.L<<==
00000a0: 5c9d 1988 00e5 2002 0054 f52b 5c \….. ..T.+\
Not too far into the traffic is a zlib header. You can easily decode this traffic from a packet capture file with a framework like ChopShop. The Shodan traffic decodes to the following:
TOKEN: LOGIN: WIN-T9UN4HIIHEC: Windows 7 Service Pack 1 – Build: 7601 – Clock: 4000 Mhz – IP: 192.168.1.60 Webcam: yes
The Shodan scans are sending traffic that would be consistent with an infected Windows 7 system named WIN-T9UN4HIIHEC.
What this boils down to is that your alerts for a Gh0st RAT infection are likely false positives and the result of inbound scanning. Shodan is an excellent resource of information and constantly does scans to catalog different parts of the Internet. You can easily verify this by looking at the direction of the traffic, observing if the source of the traffic is from Shodan, or by looking at the payload and comparing it with the above. You can tune any alerting you might have to make sure this traffic is alerting based on traffic outbound from and not inbound to your network.