The ASEC analysis team is constantly monitoring malware distributed to vulnerable database servers (MS-SQL, MySQL servers). This blog will explain the RAT malware named Gh0stCringe[1].
Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. It was first discovered in December 2018, and it is known to have been distributed via SMB vulnerability (using the SMB vulnerability tool of ZombieBoy).[2] Since then, no direct relationship has been found, but it was mentioned in the KingMiner CoinMiner analysis report[3] published in June 2020.
Gh0stCringe RAT that is recently being discovered is being distributed to vulnerable database servers. Gh0stCringe-related logs in AhnLab’s ASD show that logs were not only created by the sqlservr.exe process (MS-SQL server) but also by the MySQL server process for Windows environment (see figure below).
Considering the fact that MySQL servers are targets of attack in addition to MS-SQL servers, it can be assumed that Gh0stCringe targets poorly-managed DB servers with vulnerable account credentials.
Since database servers with vulnerable account credentials usually become targets of various attackers and malware, many different malware infection logs were found. In fact, the typical attack path of KingMiner malware that was mentioned above was an attack against SQL servers with vulnerable account credentials. Furthermore, the infection log of systems installed with Gh0stCringe shows a history of infection from different malware other than KingMiner such as Vollgar CoinMiner[4] that are distributed through brute force attacks.
Gh0stCringe was created based on the source code of publicly released Gh0st RAT. The following is a comparison between the CFileManager::OpenFile() function of Gh0st RAT that was publicly released and the function of Gh0stCringe. It shows that a part of the source code was used without modifications. Note that unlike normal variants where the majority of their codes is similar to the original code based on the Gh0st RAT source code, the majority of Gh0stCringe codes is unique just like how Gh0stCringe has its own name.
As its name suggests, Gh0stCringe RAT is a RAT malware that connects to the C&C server and performs various malicious behaviors by receiving commands from the attacker. The attacker can designate various settings to Gh0stCringe just like other RAT malware. The explanations in this blog are based on the analyzed sample.
The following is settings data of various features that can be performed when executed in addition to the C&C commands. There are 7 settings, and the malware performs different behaviors depending on the configured data.
- Self-copy [On/Off]: If turned on, copies itself to a certain path depending on the mode.
- Mode of execution [Mode]: Can have values of 0, 1, and 2. See below for explanations on the modes.
- File size change [Size]: In Mode #2, the malware copies itself to the path ‘%ProgramFiles%Cccogae.exe’, and if there is a set value, it adds junk data of the designated size to the back of the file.
- Analysis disruption technique [On/Off]: Obtains the PID of its parent process and the explorer.exe process. If it results in a value of 0, terminates itself.
- Keylogger [On/Off]: If turned on, keylogging thread operates.
- Rundll32 process termination [On/Off] If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running.
- Self-copy file property [Attr]: Sets property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).
The keylogging feature can operate by receiving a command from the C&C server, and it can also be activated depending on the settings data. Unlike Gh0st RAT which uses the Windows Hooking method (use of SetWindowsHookEx() API), Gh0stCringe uses the keylogging technique of Windows Polling method (using GetAsyncKeyState() API).
The malware saves logged user key inputs to the path ‘%SystemDirectory%Default.key’ by single-byte XOR encoding similarly to Gh0st RAT. In this case, 0x62 was used as the key.
Gh0stCringe supports four different modes. The three modes are the values of the settings data mentioned above, which were 0, 1, and 2. In addition to them, the malware is executed in an exclusive mode in Windows 10 version. All modes ultimately communicate with the C&C server and perform commands, but there are differences in their features related to maintaining persistence.
- Mode #0: If the ‘Rsuyke mkgcgkuc’ service does not exist, the malware creates the service but does not register it in a proper way. If the self-copy setting is turned on, the malware copies itself to the path %ProgramFiles% with a random name. As the created service is not registered in a proper way and the malware does not use additional techniques such as Run Key registration, persistence is not maintained.
- Mode #1: Just like in Mode #0, the malware creates an abnormal ‘Rsuyke mkgcgkuc’ service. It registers the service to HKLM Run Key, enabling it to maintain persistence.
- Mode #2: The malware copies itself to the path %ProgramFiles%Cccogae.exe’ and registers to ‘Rsuyke mkgcgkuc’ service. When it executes the service, it gives ‘Win7’ as the argument and executes Gh0stCringe. As the service is registered in a proper way, persistence is maintained. Additionally, if the self-copy settings is turned on, it copies itself to the path ‘%SystemDirectory%[Random].bak’.
- Mode Windows 10: It registers to HKCU Run Key, enabling it to maintain persistence.
After the initial routine, it connects to the C&C server and communicates periodically, waiting for the attacker’s command. Apart from the command perform routine, it collects the following information of the infected system on initial connection and sends it to the C&C server.
| Offset | Size | Description |
| +0x0000 | 0x01 | 0xC8 |
| +0x0001 | 0x07 | “Default” |
| +0x0024 | 0x04 | IP address of the infected system |
| +0x0028 | 0x04 | Host name of the infected system |
| +0x005C | 0x9C | Windows ver. |
| +0x00F8 | 0x04 | Number of CPUs |
| +0x010C | 0x04 | CPU speed (GHz) |
| +0x0114 | 0x04 | Network performance |
| +0x0118 | 0x04 | Number of webcams |
| +0x011C | 0x04 | Wow64 availability |
| +0x0120 | 0x04 | Memory capacity (MB) |
| +0x0124 | 0x04 | Local disk capacity (MB) |
| +0x0128 | 0x04 | Date of malware installation |
| +0x0159 | N/A | List of installed security products |
| +0x01BE | N/A | Certain data area (not used) |
| +0x0204 | 0x04 | Network interface speed (Mbps) |
| +0x0208 | 0x04 | “V9.0” |
| +0x0228 | 0x04 | Whether there were key inputs in the last 3 minutes |
The most noticeable collected data is the list of installed security products. The malware scans the names of the currently running processes compares them to the following list, and if they match, it records the information and sends it to the C&C server.
The original Gh0st RAT uses a signature string called “Gh0st” just like its name to communicate with the C&C server. The following is the routine that decides on the “Gh0st” string via PacketFlag in the original Gh0st RAT.
The following is the packet structure of Gh0stCringe before its encryption. The information of the infected system listed above was a 0x22C size, and additional data of a 0xF size was added in the front. The “xy “ string (first 3 bytes 0x787920) is the signature string of Gh0stCringe.
The following table provides the details on the structure of the packet before its encryption:
| Offset | Size | Data | Description |
| +0x00 | 0x03 | “xy “ | Signature string |
| +0x03 | 0x04 | 0x0000023B | Total packet size |
| +0x07 | 0x04 | 0x0000022C | Size of data to be sent |
| +0x0B | 0x04 | 0x00000001 | Hard-coded data |
| +0x0F | Variable | Variable | Data collected from the infected system |
The data that has been created goes through a self-encoding method and is ultimately encrypted. The following is the packet encryption routine and the packet created through this process to be sent to the C&C server:
The following is a list of various commands that can be received from the C&C server and performed. Some of the commands of Gh0stCringe exist in the original Gh0st RAT, but there are many unique commands as well.
Performing Commands
– Downloader: Downloads additional payload from the C&C server and executes it. Can send specific arguments.
– Connecting to a specific URL: Connects to a specific website via Internet Explorer There is an option to hide the window so that the user does not notice it.
– Destroying MBR
Stealing Information
– Keylogging: Regardless of whether there is settings data or not, keylogging can be performed by the C&C server’s command.
– Stealing clipboard: Steals the saved data to the current clipboard.
– Collecting Tencent-related file information: Collects the list of files in the path ‘%APPDATA%TencentUsers’, and it is assumed that it would normally include user data related to QQ Messenger.
Self-Control
– Update: Updates the malware
– Uninstall: Deletes the registered service and self-deletes using a batch file. Also deletes the keylogging data Default.key file.
– Service control: Changes the ‘Host’ or ‘ConnectGroup’ item for the malware service (‘Rsuyke mkgcgkuc’).
– Event Cleanup
– Registering Run Key: Registers Run Key for the path ‘C:Program FilesCommon Filesscvh0st.exe’.
System Control
– Terminating system
– Rebooting NIC
Additional Module Control
Downloads an additional module from the C&C server to memory and loads it to call the following export function. Judging by the export function, the first module appears to be a proxy-related module, and the second module appears to be a Plugin module with additional features.
– Module #1: Export function OpenProxy(), CloseProxy()
– Module #2: Export function PluginMe()
Others
– Scanning whether a certain process is running
– Scanning for the existence of certain Windows
– Writing for a certain registry: ‘HKLMSYSTEMClore / Clore’
– Message pop-up
Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Although it seems like these methods make up the majority of the attacks, there can be vulnerability attacks against systems where their vulnerability has not been patched.
In the case of MS-SQL servers, servers that have been installed by ERP and work-purpose solutions are being targeted by attackers in addition to the servers that are established normally. Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and maintain the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access of external attackers.
AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.
[File Detection]
– Backdoor/Win.Gh0stRAT.C4976413 (2022.02.19.00)
– Backdoor/Win.Gh0stRAT.C4976420 (2022.02.19.00)
[IOC]
MD5
– bd8611002e01d4f9911e85624d431eb0
– 9adc9644a1956dee23c63221951dd192
– 782cbc8660ff9e94e584adfcbc4cb961
C&C
– tuwu.meibu[.]net:2220
– 172.86.127[.]224:8000
[References]
[1] https://twitter.com/James_inthe_box/status/1125004664041197568
[2] https://www.binarydefense.com/gh0stcringeformerly-cirenegrat/
[3] https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-labs-kingminer-botnet-report.pdf
[4] https://www.guardicore.com/blog/vollgar-ms-sql-servers-under-attack/
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/32572/