Phishing and SEO poisoning attacks have been leveraged to distribute the new PLAYFULGHOST information-stealing malware, which is similar to the Gh0st RAT remote administration tool, The Hacker News reports.
While malicious emails using code of conduct-related lures deceive targets into opening an image file-spoofing RAR archive that deploys a Windows executable that runs PLAYFULGHOST, intrusions involving SEO poisoning have been tricking users into downloading a malicious LetsVPN installer that triggers DLL search order takeovers to eventually load the malware, an analysis from Google's Managed Defense team revealed. Aside from ensuring persistence through four various approaches, PLAYFULGHOST also facilitates keystroke logging, screenshot and audio capturing, and QQ account information, system metadata, and clipboard content gathering. Researchers also discovered that PLAYFULGHOST enabled the deployment of Mimikatz, an obfuscation-focused rootkit, and the security process-killing utility Terminator, while erasing data from clipboards, web browsers, and apps, including Telegram, QQ, and Skype.
