GhostAdmin Campaign Targets Users and Businesses in Jamaica

On 17 January 2017, researchers at MalwareHunterTeam and BleepingComputer reported the discovery of a new IRC-based malware named GhostAdmin that is capable of performing remote commands, capturing screenshots, and logging keystrokes. At the time, our assessment of this malware was that it was relatively unsophisticated and likely still in development. Following these reports, we began tracking the development and distribution of this malware.

Recently, we identified a campaign targeting users in Jamaica with the GhostAdmin malware. Many of these users were targeted through webmail attachments, possibly on work computers and/or during work hours. Due to the diversity of the infected devices, the criminal(s) responsible acquired several types of data, including but not limited to email, banking, and point-of-sale (POS) application credentials from these victims.

Business-related victims in this campaign work for following industries:

  • Advertising
  • Shipping and manufacturing
  • Food, supermarket, and wholesale distributors
  • Education
  • Electronics
  • Government
  • Hospitality
  • Pharmacy
  • Small-businesses

From this list, the food and restaurant industry appear to be most heavily impacted by this campaign. Specifically, a well-known supermarket chain had multiple workstations infected with the GhostAdmin malware. As of 6 March 2017, hosts were still transmitting data to the command-and-control (C2) server identified. Cyber4Sight is currently in the process of notifying the victims we identified during our research.

Cyber4Sight’s assessment of the malware remains unchanged: the malware lacks sophistication. It leverages two clear-text protocols (IRC and FTP) for communication, and in the sample we analyzed, the attacker information (including the emails used to receive logs via SMTP) was only obfuscated via Base64 encoding. Despite these shortcomings, this campaign demonstrates that unsophisticated malware can still be effective against individuals or enterprises lacking a mature security posture.

Technical Information

The campaign we identified appears to have begun in mid-February and led to the infection of 88 workstations across more than 30 different companies. During our analysis, we observed multiple screenshots of malicious attachments from infected workstations. These screenshots, as well as logged data from the infected hosts, suggest that there may have been several waves of malicious emails. These emails used malicious invoices as attachments, including at least one PDF and one Microsoft Excel spreadsheet. These files used double file extensions and the appropriate icons to appear legitimate.

GhostAdmin Botnet Malicious Attachments

Screenshots of malicious attachments associated with GhostAdmin campaign

On one of the C2 servers used in this campaign, Cyber4Sight identified a tool called the “CrimeScene mailer.” We find this discovery notable, as GhostAdmin was initially reported to be based off the CrimeScene malware. In addition, it’s possible that this tool was used to distribute the malware through malicious links (it does not appear to have a mechanism for including attachments).

CrimeScene Mailer spam tool identified on C2 server

CrimeScene Mailer spam tool identified on C2 server

GhostAdmin primarily relies on a list of commands transmitted over IRC. Some of the more notable actions the malware is capable of taking include:

  • Screenshotting
  • Remote desktop access
  • File uploading
  • Keylogging
  • Browser data deletion
  • System information collection

Although an open-source commenter identified this file as being version 2.0 of the GhostAdmin malware, Cyber4Sight has not identified any significant functional differences in the malware since BleepingComputer’s initial report in January 2017. Several commands that were commented within the code as “in development” remain non-functional, suggesting that the malware may continue to develop. An example of one such feature is below:

Non-functional code in GhostAdmin

As a result of the analysis of this campaign and its associated malware, we maintain our assessment that this malware is unsophisticated for the following reasons:

  • The malware relies on two clear-text protocols to transfer data to a C2 server, exposing the responsible actor or actors and associated infrastructure.
  • The infrastructure and email addresses used by the malware are obfuscated through Base64 encoding, which can be easily deciphered.

Despite these shortcomings, Cyber4Sight notes that weak security practices, including the use of personal webmail on a company computer and the opening of attachments from external sources, can have significant consequences for individual users and their employers.


Article Link: