Google’s Managed Defense team has identified PLAYFULGHOST, a new sophisticated malware sharing similarities with the infamous Gh0st RAT. This advanced backdoor comes equipped with comprehensive surveillance capabilities, including keylogging, screen and audio capture, remote shell access, and file manipulation features.
The malware primarily spreads through two main vectors:
– Phishing emails containing fake code of conduct documents
– SEO poisoning techniques distributing compromised VPN applications, particularly LetsVPN
Once installed, PLAYFULGHOST establishes persistence through multiple methods:
– Run registry key
– Scheduled tasks
– Windows Startup folder
– Windows service creation
Key Features and Capabilities:
– Comprehensive data collection (keystrokes, screenshots, audio)
– QQ account information gathering
– System metadata extraction
– Security product detection
– Browser data manipulation
– Messaging application profile deletion
– Advanced payload deployment
The malware employs sophisticated techniques including DLL search order hijacking and side-loading for execution. It also utilizes additional tools such as Mimikatz for credential theft and a rootkit for process concealment. The Terminator utility, deployed alongside PLAYFULGHOST, targets security processes through BYOVD attacks.
The focus on Chinese applications like Sogou, QQ, and 360 Safety suggests the malware primarily targets Chinese-speaking Windows users. This threat demonstrates significant evolution from its predecessor, Gh0st RAT, representing a more advanced and versatile cyber threat.