Threat actors have leveraged the new Gh0stGambit dropper to distribute the Gh0st RAT malware in drive-by download attacks against Chinese Windows users, The Hacker News reports.
Malicious Google Chrome-spoofing installer packages hosted on a fraudulent Chrome website facilitated the deployment of a legitimate Chrome setup executable and a trojanized installer that loads Gh0stGambit, which then verifies active security software before fetching Gh0st RAT, an eSentire analysis revealed.
Aside from featuring process termination, file removal, remote command execution, and data exfiltration capabilities, Gh0st RAT could also facilitate Mimikatz delivery, remote desktop protocol activation, Windows event log removal, and browser data erasure, according to researchers, who also noted similarities between the identified malware and the Gh0st RAT variant "Hidden Ghost" discovered by AhnLab Security Intelligence Center researchers.
"The recent findings highlight the distribution of this threat via drive-by downloads, deceiving users into downloading a malicious Chrome installer from a deceptive website," said eSentire researchers.