Press ESC to close

PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps

Category Details
Threat Actors Not explicitly named, but shares functionality with Gh0st RAT, indicating potential ties to similar threat actor groups.
Campaign Overview New malware, PLAYFULGHOST, uses phishing emails and SEO poisoning to deliver trojanized VPN apps, primarily targeting Chinese-speaking users.
Target Regions (Or Victims) Chinese-speaking Windows users, particularly those using VPN apps and messaging applications like QQ and Telegram.
Methodology • Phishing emails with trojanized VPN apps.
• SEO poisoning to distribute malware.
• DLL search order hijacking, side-loading, and rogue shortcut files for execution.
Product Targeted VPN apps (LetsVPN), messaging apps (QQ, Telegram), web browsers (Sogou, QQ, 360 Safety, Firefox, Google Chrome).
Malware Reference PLAYFULGHOST, shares features with Gh0st RAT.
Tools Used Mimikatz, rootkit, Terminator (BYOVD attack), BOOSTWAVE, DLL hijacking, custom dropper.
Vulnerabilities Exploited DLL search order hijacking, side-loading, and Windows shortcut manipulation.
TTPs • Phishing emails.
• SEO poisoning.
• DLL hijacking and side-loading.
• Dropper payloads.
• Persistence methods (Run registry key, scheduled tasks, etc.).
Attribution Likely state-sponsored or organized cybercrime groups based on tools and techniques.
Recommendations • Be cautious with downloading VPN apps and clicking email links.
• Regularly update antivirus and anti-malware tools.
Source The Hackers News

Read full article: https://thehackernews.com/2025/01/playfulghost-delivered-via-phishing-and.html

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

  

Source: TheHackersNews

Published on: January 5, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *