gh0st RAT

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups. [1][2][3]

ID: S0032
Type: MALWARE
Platforms: Windows, macOS

Version: 2.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line Interfacegh0st RAT is able to open a remote shell to execute commands.[1][3]
EnterpriseT1043Commonly Used Portgh0st RAT uses port 443 for C2 communications.[3]
EnterpriseT1073DLL Side-LoadingA gh0st RAT variant has used DLL side-loading.[2]
EnterpriseT1107File Deletiongh0st RAT has the capability to to delete files.[1]
EnterpriseT1070Indicator Removal on Hostgh0st RAT is able to wipe event logs.[1]
EnterpriseT1056Input Capturegh0st RAT has a keylogger.[4]
EnterpriseT1050New Servicegh0st RAT can create a new service to establish persistence.[3]
EnterpriseT1057Process Discoverygh0st RAT has the capability to list processes.[1]
EnterpriseT1060Registry Run Keys / Startup Foldergh0st RAT adds a Registry Run key to establish persistence.[3]
EnterpriseT1105Remote File Copygh0st RAT can download files to the victim’s machine.[3]
EnterpriseT1085Rundll32A gh0st RAT variant has used rundll32 for execution.[2]
EnterpriseT1113Screen Capturegh0st RAT can capture the victim’s screen remotely.[3]
EnterpriseT1032Standard Cryptographic Protocolgh0st RAT uses RC4 and XOR to encrypt C2 traffic.[3]

Groups

Groups that use this software:

APT18
PittyTiger
TA459

References