Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

gh0st

gh0st is a remote access tool (RAT). The source code is public and it has been used by many groups. [1]

ID: S0032
Aliases: gh0st
Type: MALWARE
Platforms: Windows, macOS

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line Interfacegh0st RAT is able to open a command shell.[1]
EnterpriseT1073DLL Side-LoadingA gh0st variant has used DLL side-loading.[2]
EnterpriseT1107File Deletiongh0st RAT is able to delete files.[1]
EnterpriseT1070Indicator Removal on Hostgh0st RAT is able to wipe event logs.[1]
EnterpriseT1056Input CaptureThe gh0st RAT has a keylogger.[3]
EnterpriseT1057Process Discoverygh0st RAT is able to list processes.[1]
EnterpriseT1085Rundll32A gh0st variant has used rundll32 for execution.[2]

Groups

Groups that use this software:

APT18
Night Dragon
PittyTiger
TA459

References