Stealthy PLAYFULGHOST Malware Masquerades as VPN Apps in Advanced Phishing Campaign

Stealthy PLAYFULGHOST Malware Masquerades as VPN Apps in Advanced Phishing Campaign

PLAYFULGHOST: A Sophisticated New Malware Threat Emerges

Google’s Managed Defense team has identified PLAYFULGHOST, a new sophisticated malware sharing similarities with the infamous Gh0st RAT. This advanced backdoor comes equipped with comprehensive surveillance capabilities, including keylogging, screen and audio capture, remote shell access, and file manipulation features.

The malware primarily spreads through two main vectors:
– Phishing emails containing fake code of conduct documents
– SEO poisoning techniques distributing compromised VPN applications, particularly LetsVPN

Once installed, PLAYFULGHOST establishes persistence through multiple methods:
– Run registry key
– Scheduled tasks
– Windows Startup folder
– Windows service creation

Key Features and Capabilities:
– Comprehensive data collection (keystrokes, screenshots, audio)
– QQ account information gathering
– System metadata extraction
– Security product detection
– Browser data manipulation
– Messaging application profile deletion
– Advanced payload deployment

The malware employs sophisticated techniques including DLL search order hijacking and side-loading for execution. It also utilizes additional tools such as Mimikatz for credential theft and a rootkit for process concealment. The Terminator utility, deployed alongside PLAYFULGHOST, targets security processes through BYOVD attacks.

The focus on Chinese applications like Sogou, QQ, and 360 Safety suggests the malware primarily targets Chinese-speaking Windows users. This threat demonstrates significant evolution from its predecessor, Gh0st RAT, representing a more advanced and versatile cyber threat.

Share This Article