BlackTech APT Uses the Gh0stTimes Malware
The Gh0stTimes Malware is an upgraded variant of a well-known Remote Access Trojan – the Gh0st RAT. Both of these threats have been involved in multiple attack campaigns of the BlackTech hacking group. Unfortunately, the Gh0stTimes Malware appears to undergo regular updates, which aim to enhance its functionality, while trying to keep it under the radar of antivirus products.
The Gh0st RAT was involved in several high-profile attacks in 2020, but it seems that its features were not enough for the BlackTech criminals, who also use the TsCookieRAT. Some of the signature features of the Gh0stTimes Malware are also a part of the original project – such as the custom communication protocol. The criminals are also using large portions of dummy code to obfuscate the malware's functions, and make it more difficult to detect.
Gh0stTimes Malware, an Enhanced Gh0st RAT Variant
Currently, the Gh0stTimes Malware supports five commands. Although this list may seem short, it provides the operators with the ability to execute all sorts of important tasks on the systems they compromise:
- They can perform all kinds of file operations.
- Execute remote shell commands.
- Modify the command-and-control server.
- Run a proxy.
- Terminate the connection to the host.
The criminals appear to be operating through a Graphical User Interface (GUI) control panel. Unlike many similar projects, it is not Web-based – the criminals cannot access it online. Systems that were infected by the Gh0stTimes Malware often had multiple other implants running on them – such as Trojan downloaders and backdoors. However, it is not clear whether the BlackTech hackers were responsible for these as well. It is entirely possible that the same systems were exploited by other criminals who search for vulnerabilities.