Category | Details |
---|---|
Threat Actors | Not explicitly named, but shares functionality with Gh0st RAT, indicating potential ties to similar threat actor groups. |
Campaign Overview | New malware, PLAYFULGHOST, uses phishing emails and SEO poisoning to deliver trojanized VPN apps, primarily targeting Chinese-speaking users. |
Target Regions (Or Victims) | Chinese-speaking Windows users, particularly those using VPN apps and messaging applications like QQ and Telegram. |
Methodology | • Phishing emails with trojanized VPN apps. • SEO poisoning to distribute malware. • DLL search order hijacking, side-loading, and rogue shortcut files for execution. |
Product Targeted | VPN apps (LetsVPN), messaging apps (QQ, Telegram), web browsers (Sogou, QQ, 360 Safety, Firefox, Google Chrome). |
Malware Reference | PLAYFULGHOST, shares features with Gh0st RAT. |
Tools Used | Mimikatz, rootkit, Terminator (BYOVD attack), BOOSTWAVE, DLL hijacking, custom dropper. |
Vulnerabilities Exploited | DLL search order hijacking, side-loading, and Windows shortcut manipulation. |
TTPs | • Phishing emails. • SEO poisoning. • DLL hijacking and side-loading. • Dropper payloads. • Persistence methods (Run registry key, scheduled tasks, etc.). |
Attribution | Likely state-sponsored or organized cybercrime groups based on tools and techniques. |
Recommendations | • Be cautious with downloading VPN apps and clicking email links. • Regularly update antivirus and anti-malware tools. |
Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/playfulghost-delivered-via-phishing-and.html
The above summary has been generated by an AI language model
Leave a Reply