Long-standing C&C infrastructure contributes to threat group's success

Palo Alto Networks documented a threat group that's been using Gh0st malware for more than five years with some of the same infrastructure lasting nearly two years.
Palo Alto Networks documented a threat group that's been using Gh0st malware for more than five years with some of the same infrastructure lasting nearly two years.

For more than five years, a campaign involving variants of Gh0st malware, including a new variant, “Piano Gh0st,” have persisted, seemingly without a true target or purpose.

Palo Alto Networks detailed the Musical Chairs campaign, as it calls it, in a Tuesday blog post. More than anything, Ryan Olson, intelligence director at Palo Alto, told SCMagazine.com this campaign warrants attention for its lasting infrastructure.

The attackers have been using one Command and Control (C&C) server, for instance, for nearly two years. The Windows 2003 server has a U.S.-based IP address, but uses a Chinese language interface for Remote Desktop connections. Palo Alto documented 32 Gh0st samples connecting to this server, some of which date back to 2013.

“[It's] sort of an incredible amount of time given the number of people who have been hit with this campaign,” Olson commented. “If it was small and didn't hit a lot of targets you can see it not being off the internet by now, but quite a few people have been hit so you would think the service provider would take it down.”

Musical Chairs' infections date back to 2010, the blog post states, as the perpetrators really haven't changed up their tactics or phishing emails much; they often resort to the same body copy, and clearly the same infrastructure, which allowed Palo Alto to draw a connection among attack reports.

The lacking sophistication of its social engineering attempts indicated to Olson and the rest of his team that these attackers are “opportunistic,” or start with a single target and move on from there. When victims are infected through a phishing email, the malware scrapes their address book and spams their contacts through their legitimate, but compromised, email addresses.

Even if only a few recipients open the email and click the malicious link, the attackers will maintain the new infection with the hope that they will eventually gleaning something valuable from it, Olson said.

Given the clear indicators of a suspicious email in Musical Chairs' phishing attempts, Olson reiterated the tenets of phishing email defense, including not clicking strange links, even if they come from a familiar address.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS