Gh0st RAT malware TLP:WHITE

Gh0st RAT malware TLP:WHITE 

The below information is shared by CERT-IN (Government of India) as part of their regular monitoring and analysis.

Description:

[CMTX-P12072018] Gh0st RAT malware TLP:WHITE

There is surge in distribution of Gh0stRAT malware which is a full-featured remote access Trojan for windows operating system. Attackers are distributing Gh0stRAT malware by using the HTTP File Server (commonly abbreviated as HFS, a free and easy way to send and receive files across the Internet). Attackers are exploiting the HTTP File Server vulnerability (CVE-2018-8174) to download the file from the URL onto disk which was identified as Gh0st RAT. Once this malware reach on victim machine it try to communicate with the C2 server under controlled of attacker.

A comprehensive list of IOC is listed for your action.

**********************IOC*************************************************

IP

http[:]//103[.]100[.]210[.]50:7777

http[:]//112[.]30[.]132[.]138:2323

http[:]//118[.]193[.]137[.]60:2500

http[:]//199[.]195[.]129[.]250:7878

http[:]//220[.]165[.]9[.]89:5566

http[:]//42[.]226[.]35[.]42:2323

http[:]//770747[.]9mng[.]vip

http[:]//77074722[.]f3322[.]net

http[:]//www[.]9mng[.]vip

Hostname

770747[.]9mng[.]vip

77074722[.]f3322[.]net

www[.]9mng[.]vip

MD5

16e2a37b3deaa6397535d0ebf9cc3c43

27b1e5595c46e3bff5c9d7392f18b24d

3fdd0a416e6778f992a1be9f97e91c60

403c08aa6a48310dc326dec9f3929116

825fa52261713621ee646b1c669b69bf

a4c9c8bbfd909422bec69ba82b60af42

ace601183f1fa24cba048039104e65de

b35e8808e41445bb2d37aa329e74acce

cf7535110cdc8b0f854e15516f79b373

--------------------- IOC’s end----------------------------

CERT-IN recommends:

• Keep checking the web proxy logs for users downloading the file having MD5 (as given above) from an external host using a non-standard or high TCP port.

• Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient responsibility after diligently verifying them without impacting the operations.

• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

• Restrict execution of Power shell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

• Keep operating systems and software up-to-date with the latest patches.

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.

• Install and scan anti malware engines and keep them up-to-date.

• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.

• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.

• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

• Implement strict External Device (USB drive) usage policy.

• Configure VPN and SSH to access device if remote access is required

Note: The above information and security advisory was shared by CERT-IN as per their analysis and we do not have any other details pertaining to this incident. For protection against latest threats and vulnerabilities users may visit cert-in website: www.cert-in.org.in. The alerts on latest malware are published under VIRUS ALERTS section.