Gh0stRAT Remote Access Trojan

Gh0stRAT is a remote access trojan affecting Windows platforms and has been used to hack into some of the most sensitive computer networks in the world. It is generally distributed via spam emails.

Threat ID:: CC-1309
Category:: Spyware, Trojan
Threat Severity:: Medium
Threat Vector:: Email spam
Published:: 6 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Gh0stRAT is a remote access trojan affecting Windows platforms and has been used to hack into some of the most sensitive computer networks in the world. It is generally distributed via spam emails.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

The trojan consists of two main components; a client and a server.

Controller Application: This is known as the client, which is typically a Windows application that is used to track and manage Gh0stRAT servers on remote compromised hosts. The two main functions this module serves is the management and control of Gh0stRAT servers and the ability to create customised server install programs.

Windows DLL : The DLL is named SVCHOST.DLL. This is the Windows DLL that is installed on a compromised host as a Windows service. This service is the server component of the Gh0st toolkit. It checks in to the Gh0st client on startup and awaits instructions.

Once installed and active, Gh0stRAT is able to do the following:

Take full control of the remote screen on the infected bot.
Provide real time as well as offline keystroke logging.
Provide live feed of webcam, microphone of infected host.
Download remote binaries on the infected remote host.
Take control of remote shutdown and reboot of host.
Disable infected computer remote pointer and keyboard input.
Enter into shell of remote infected host with full control.
Provide a list of all the active processes.

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.

Last edited: 17 February 2020 11:31 am