HiddenGh0st Malware Attacking MS-SQL Servers

Gh0st RAT is a remote control malware developed by the C. Rufus Security Team from China. Due to its source code being publicly available, malware developers use it as a reference as they continue developing numerous variants that are still actively used in attacks. Although the source code is public, Gh0st RAT is mainly used by threat actors based in China. Cases of Gh0stCringe RAT, a variant of Gh0st RAT, being distributed targeting database servers (MS-SQL, MySQL servers) were disclosed in a previous blog post. [1]

Numerous variants of Gh0st RAT are often used in attacks targeting MS-SQL servers. AhnLab Security Emergency response Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and publishes quarterly statistics through the ASEC Reports. The statistics categorize malware according to major categories such as backdoor, Trojan, HackTool, CoinMiner, etc., and they also cover the specific malware that are used in attacks within each category. Based on statistics from the second quarter of 2023, Gh0st RAT variants accounted for 29.0% of attack cases, making them the second most common, just behind Remcos RAT. [2]

ASEC has recently confirmed the distribution of a Gh0st RAT variant, which installs the Hidden rootkit, targeting poorly managed MS-SQL servers. Hidden, an open-source rootkit publicly accessible on GitHub, offers features that include hiding files, registry entries, and even itself, as well as providing the ability to protect processes. [3] Threat actors can potentially leverage these features to hide the presence of malware infections from users or hinder the removal of malware.

In this blog, the Gh0st RAT variant that installs the Hidden rootkit will be classified as HiddenGh0st. HiddenGh0st has been identified since at least 2022 and is still being distributed. Given the additional features added by the threat actor, including the ability to steal information from QQ Messenger, a platform predominantly utilized by Chinese users, it is suspected that Chinese users are the main target of these attacks.

1. Analysis of HiddenGh0st

1.1. Initial Configuration

HiddenGh0st is distributed in a packed state to evade file detection. After decrypting the actual PE file encrypted in the DATA section, it is executed in the memory. At the same time, the configuration data is also transmitted in the size of 0x848.

The transmitted configuration data is as follows. It not only includes the C&C URL, but it also supports a variety of configurations, such as the installation method, the name of the installation path and file, and whether to activate the rootkit.

Offset	Data	Description
0x0000	“leifenghackyuankong.e3.luyouxia[.]net”	C&C server address
0x012C	NULL	Not used
0x0258	0x3960 (14688)	C&C server port number
0x025C	0x0EE0	Not used
0x0260	“6gkIBfkS+qY=”	Keylogging file name (“Default” upon being decrypted)
0x0292	“tdC2pg==”	Version information (“1.0” upon being decrypted)
0x02b2	“QQ进程保护程序”	Service name (Service mode)
0x0316	“TX QQ”	Service display name (Service mode)
0x0396	SERVICE_DESCRIPTION	Service configuration data (Service mode)
0x0496	“5750b8de793d50a8f9eaa777adbf58d4”	BITS registry configuration data
0x0598	0x0000	External IP lookup status
0x059C	0x0001	Installation mode #1: Service
0x05A0	0x0000	Installation mode #2: Startup Folder
0x05A4	0x0000	without Rootkit
0x05A8	“%SystemRoot%\System32\”	Installation path name (Service mode)
0x060C	“QQ进程保护程序.exe”	Installation file name
0x063E	0x0008	Size of appended dummy data
0x0640	0x0007	Property assigned to malware (Service mode) FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM
0x0648	NULL	Download URL

Table 1. Initial configuration data

Many of the configuration data include options that are deactivated, and one notable example is the URL used by the downloader thread. If the threat actor had set a download URL, it is likely that the download of additional malware from an external source would have also occurred upon executing the HiddenGh0st.

Among the deactivated configuration data, there is also an option to activate a feature that retrieves the infected system’s public IP address. If this feature is enabled, the public IP address from http://www.taobao.com/help/getip.php will be obtained and included in the data sent to the C&C server.

1.2. Installation Process

1.2.1. Installation Mode #1 – Service

If the installation mode specified in the configuration data is set to “Service”, the installation time of the current malware is first saved in the MarkTime value of the key in HKLM\SYSTEM\Select. Then, HiddenGh0st references the configuration data to copy the malware and register it as a service. By specifying the “-auto” argument during service registration, the malware is subsequently launched with the same “-auto” argument while operating as a service.

Additionally, the configuration data also includes the size of the dummy data that will be appended. When the configuration value is 0x0008, a 0x00800000-sized dummy data is appended to the end of the malware. Once the process reaches this point, the service is executed and the following command is used to delete the original file. If HiddenGh0st operates as a service, it executes itself again with the argument “-acsi” and then the main routine proceeds.

> C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del [Malware path] > nul

1.2.2. Installation Mode #2 – Startup Folder

If the installation method is set to “Startup Folder” in the configuration data that is transmitted when the malware is executed, HiddenGh0st maintains persistence by copying itself to the startup folder instead of registering as a service. First, saving the installation time in the MarkTime value of the HKLM\SYSTEM\Select key is the same as when the installation mode is service. Afterward, HiddenGh0st copies the currently running malware to the startup folder. A notable characteristic of this process is the use of the DefineDosDeviceA() API to create a symbolic link for the target path of the copy and its use in the copy process. The string “\.\agmkis2” is used as the name of the symbolic link.

The copied malware is then given the hidden attribute and the dummy data is added as per the configuration. Once this process is complete, the copied malware is executed, and the original malware deletes itself.

1.3. Transmission of Infected System Information

HiddenGh0st, much like the typical Gh0st RAT, collects and transmits basic information about the infected system to the C&C server after communication has been established.

Offset	Collected Data
0x0000	0x66
0x0004	Windows version information
0x00A0	CPU speed
0x00A4	Number of CPUs
0x00A8	Public IP address
0x00AC	Private IP address
0x00B0	Host name of the infected system
0x01B0	Number of webcams
0x01B4	Internet connection delay time
0x01B8	Network interface speed
0x01BC	Memory capacity
0x01C0	Local disk capacity
0x01C4	“Default” string (decrypted from the configuration data) or the “5750b8de793d50a8f9eaa777adbf58d4” value of the BITS registry
0x01F6	System boot time
0x0216	“1.0” (version)
0x0236	List of installed security products
0x0268	Wow64 availability
0x026C	Malware installation time (MarkTime)
0x029E	Logged in QQ Messenger number
0x03A0	Whether 3 minutes has passed since the last key input
0x03A4	Internet connection status (MODEM, LAN, PROXY)

Table 2. List of information transmitted to the C&C server

The information about installed security products is obtained by checking if the names of currently running processes contain any of the following keywords.

“360tray.exe”, “360sd.exe”, “kxetray.exe”, “KSafeTray.exe”, “QQPCRTP.exe” ,”HipsTray.exe” ,”BaiduSd.exe” ,”baiduSafeTray.exe” ,”KvMonXP.exe” ,”RavMonD.exe” ,”QUHLPSVC.EXE” ,”QuickHeal” ,”mssecess.exe” ,”cfp.exe”, “SPIDer.exe”, “DR.WEB”, “acs.exe”, “Outpost”, “V3Svc.exe” ,”AYAgent.aye” ,”avgwdsvc.exe” ,”AVG” ,”f-secure.exe” ,”F-Secure” ,”avp.exe” ,”Mcshield.exe”, “NOD32”, “knsdtray.exe”, “TMBMSRV.exe”, “avcenter.exe”, “ashDisp.exe” ,”rtvscan.exe” ,”remupd.exe” ,”vsserv.exe”, “BitDefender”, “PSafeSysTray.exe”, “ad-watch.exe”, “K7TSecurity.exe”, “UnThreat.exe”, “UnThreat”

Among the data transmitted to the C&C server by HiddenGh0st, the QQ number of the currently running QQ Messenger is also included. Since QQ Messenger is primarily used by users who can communicate in Chinese, it is speculated that the threat actor’s main targets are Chinese-speaking users.

HiddenGh0st compresses the 0x3BC size data obtained in this way and then prepends 0x0F size data to it. The prepended data includes information such as the signature string “hx”, the size of the data to be sent, and the original data’s size. The original Gh0st RAT used a signature string called “Gh0st” just like its name to communicate with the C&C server. Nonetheless, due to the public availability of its source code, Gh0st RAT has spawned numerous variants, and it is worth noting that in the past, Gh0stCringe RAT also employed “xy” as its signature string.

Offset	Size	Data	Description
0x00	0x03	“hx “	Signature string
0x03	0x04	0x000000AB	Size of the data to be sent (0x9C + 0x0F that is the size of the compressed file)
0x07	0x04	0x000003BC	Size of the original data
0x0B	0x04	0x00000002	Hard-coded

Table 3. Data that is transmitted before encryption

The data ultimately goes through an encryption process before being sent to the C&C server.

1.4. Performing Commands

The threat actor based HiddenGh0st on the original Gh0st RAT when developing it, so it supports basic commands similar to those in the original Gh0st RAT, such as FileManager, ScreenManager, KeyboardManager, SystemManager, ShellManager, etc. Of course, HiddenGh0st supports many more commands. Below is a list of commands that can be received from the C&C server for execution. Only the main categories have been categorized here, so it should be known that each command is actually responsible for many more features. Commands that operate as threads and continuously send data to the C&C server use port 80 of the C&C server.

Command	Feature
0x00	Standby
0x01	[FileManager] File management: Looks up file, uploads, downloads, deletes, renames, executes, decompresses via WinRAR, etc.
0x08	Chat
0x0A	Service management: Looks up service, starts, deletes, changes settings, etc.
0x0B	Process check: Checks whether it is currently running
0x0C	Windows check: Checks whether it is currently running
0x10	[ScreenManager] Captures screen, exfiltrates and changes clipboard contents
0x1C	Executes file
0x1D	Terminates explorer (explorer.exe)
0x1E	Deletes Internet Explorer cache
0x1F	Port forwards
0x2D	[KeyboardManager] Keylogger
0x33	Outputs audio
0x34	Exfiltrates QQ Messenger information
0x36	[SystemManager] System management: Collects the list of processes/Windows supported by Gh0st RAT, steals Dialup account information, and has features to terminate processes. Furthermore, executes commands, controls threads, collects/modifies host files, etc.
0x48	Message popup
0x49	Sets the HKLM\SYSTEM\CurrentControlSet\Services\BITS / 5750b8de793d50a8f9eaa777adbf58d4 value
0x4A	[ShellManager] Remote shell: Remote shell feature supported by Gh0st RAT. Furthermore, steals account credentials via Mimikatz
0x4B	Shuts down computer
0x4C	Restarts
0x4D	Uninstalls
0x4E	Event cleanup
0x52	Etc: Opens/Closes CD-ROM, hides/reveals taskbar, switches left and right mouse buttons, etc.
0x60	Download and execute files from an external source
0x62	Copies malware to the startup folder
0x63	Sets resolution
0x64	Creates and executes file (HIDE)
0x65	Creates and executes file (SHOW)
0x66	Plugin installation: Downloads and executes the plugin.dll file
0x67	URL connection: Connects to a specific website via Internet Explorer (HIDE)
0x68	URL connection: Connects to a specific website via Internet Explorer (SHOW)
0x69	Sets the HKLM\SYSTEM\Setup/Host value
0x6A	Standby
0x6D	Remote control-related: Activates/deactivates remote desktop, changes remote desktop port number, activates guest account, activates Internet sharing, configures/deletes user account, etc.
0x82	Registry management
0x8A	Speculated as plugin-related: Looks up file, downloads/uploads, loads in the memory and executes

Table 4. List of commands supported by HiddenGh0st

Due to the wide range of features provided by HiddenGh0st, it offers even more features on top of the features supported by the original Gh0st RAT and the typical RAT malware.

At the initial execution stage, there were two encoded strings received as arguments from the configuration data. One is the string “1.0”, which is presumed to be the version information of the malware, and the other is the string “Default”. The latter is presumed to be used as an identifier for the malware since it is sent to the C&C server along with information about the infected system. If the threat actor activates the keylogger command, the collected keylogging data is saved in the %SystemDirectory% path, and the file name used is the string “6gkIBfkS+qY=.key”, which is the “Default” string before being decrypted.

HiddenGh0st has a feature that installs Mimikatz, allowing it to steal account credentials from infected systems. In addition to the remote shell, the ShellManager class, responsible for the remote shell feature in the original Gh0st RAT, includes a command that installs Mimikatz under the name “GetMP.exe” and executes the following command. The malware transmits the account credentials collected from infected systems through processes like these to the C&C server.

> GetMP privilege::debug sekurlsa::logonpasswords exit\r\n

Among the newly added commands, there are many features related to remote control using RDP. These features can activate remote desktop or Internet sharing, change the port number for the remote desktop, and even use a command like the one below to enable guest accounts and register them in the administrator group.

> net user guest /active:yes && net user guest 123456 && net localgroup administrators guest /add

In addition, it also includes features that were supported by past RAT malware, such as commands to delete the cache of Internet Explorer, open or close the CD-ROM, hide the taskbar, and swap the left and right buttons of the mouse.

> cmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Although the specific purpose has not been confirmed, a feature exists among the commands that sets the registry key value like the following. If the value “5750b8de793d50a8f9eaa777adbf58d4” is set through the threat actor’s command, it will be included with the basic information that HiddenGh0st transmits to the C&C server.

• HKLM\SYSTEM\CurrentControlSet\Services\BITS / 5750b8de793d50a8f9eaa777adbf58d4
• HKLM\SYSTEM\Setup / Host

2. Analysis of HiddenGh0st’s Rootkit

Hidden is an open-source rootkit driver publicly available on GitHub. It utilizes mini-filter drivers and kernel callback functions provided by the latest operating systems to hide files and registries, as well as protect processes. Due to these features, if used for malicious purposes, it can be employed to hide malware and prevent the termination of malicious processes. The CoinMiner known as PurpleFox also customized Hidden and utilized it in its attacks to hide the malware and obstruct removal efforts. [4]

HiddenGh0st installs the internally embedded Hidden rootkit during the execution process and uses it for the purpose of hiding and protecting the malware that acts as a backdoor. In this section, we will first analyze the basic features of the Hidden rootkit before outlining the process through which HiddenGh0st utilizes Hidden.

2.1. Analysis of Hidden Rootkit

2.1.1. Basic Operation

Hidden first reads the Config registered in the installation registry. These registry values are the configuration data automatically loaded and applied when the rootkit driver is loaded. For example, the following registry values were generated to transmit 4 commands.

After reading the initial configuration data, the initialization process of the process monitor, mini-filter, registry filter, and so on begins. Once each initialization process is completed, its protection and hiding features are performed based on the read configuration data. Finally, Stealth Mode, which is responsible for hiding the driver itself, can be initiated by referencing the hide settings, specifically the “Hid_StealthMode” value that can be set in the above registry. Stealth Mode hides the files and registry keys of Hidden, making it impossible to stop the corresponding services. Instead, a tool called HiddenCLI.exe can be used to deliver commands to deactivate and restore the driver.

Registry	Feature
Hid_State	Activates driver
Hid_StealthMode	Self-stealth mode
Hid_HideFsDirs	Hides directory
Hid_HideFsFiles	Hides file
Hid_HideRegKeys	Hides registry key
Hid_HideRegValues	Hides registry value
Hid_IgnoredImages	Specifies exception process
Hid_ProtectedImages	Specifies protection process
Hid_HideImages	Hides process

Table 5. Registry commands referenced by Hidden

Additionally, HiddenCLI.exe uses the following IOCTL when transmitting commands to the Hidden driver.

IOCTL	Number	Feature
HID_IOCTL_SET_DRIVER_STATE	0x800	Sets driver status (Activate/Deactivate)
HID_IOCTL_GET_DRIVER_STATE	0x801	Returns current driver status
HID_IOCTL_SET_STEALTH_MODE	0x802	Sets stealth mode
HID_IOCTL_ADD_HIDDEN_OBJECT	0x83C	Adds stealth target
HID_IOCTL_REMOVE_HIDDEN_OBJECT	0x83D	Removes stealth target
HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECT	0x83E	Removes all stealth targets
HID_IOCTL_ADD_OBJECT	0x846	Adds exception/protection process
HID_IOCTL_GET_OBJECT_STATE	0x847	Returns exception/protection process status
HID_IOCTL_SET_OBJECT_STATE	0x848	Sets exception/protection process status
HID_IOCTL_REMOVE_OBJECT	0x849	Removes exception/protection process
HID_IOCTL_REMOVE_ALL_OBJECT	0x84A	Removes all exception/protection processes

Table 6. List of IOCTL numbers used by Hidden to transmit commands

2.1.2. Hiding Files

Hidden utilizes a file system mini-filter driver to hide files. File system filter drivers are kernel-mode components provided by Windows that allow monitoring and modification of file system requests such as opening, reading, and modifying files and directories. Mini-filter drivers are models that can control file systems using the Windows filter manager. As mentioned above, this allows file-related activities to be monitored and controlled without using kernel mode hooking techniques.

In Hidden, the monitored I/O operations include IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL. IRP_MJ_CREATE is triggered when a handle is opened for a file or device object, and Hidden registers a pre-operation callback for this request. IRP_MJ_DIRECTORY_CONTROL is triggered when a directory is looked up, and Hidden registers both the pre-operation and post-operation callbacks for this request.

When monitoring IRP_MJ_CREATE, if the name of the file or directory targeted for handle opening matches an entry in the stealth target list, Hidden blocks access to them by returning STATUS_NO_SUCH_FILE. In the case of directory lookups, when monitoring IRP_MJ_DIRECTORY_CONTROL, Hidden removes the stealth target files and directories from the information obtained as a result of the request if the request matches an entry in the stealth list, effectively rendering them imperceptible to the user.

The filter manager loads each mini-filter driver at a unique altitude when registering them. Mini-filter drivers cannot be loaded with duplicate values, and Microsoft manages these altitudes for driver files. Additionally, Hidden is not an officially signed and registered driver, but in open-source, it uses 370030 as its altitude. (This is the same value as the altitude of Microsoft’s example mini-filter driver called passThrough.sys)

2.1.3. Protecting and Hiding Processes

Hidden provides a process protection feature and utilizes the ObRegisterCallbacks() function for these operations. This function registers callback routines that receive notifications about specific pre- and post-operations related to process and thread objects. Therefore, callback routines for actions such as the creation and duplication of handles for each object are registered, providing control by calling the registered callback routine first whenever a relevant operation occurs. The ObRegisterCallbacks() function, like mini-filter drivers, also requires an altitude value and designating it as 1000 is a characteristic of this function.

When looking at the OB_OPERATION_REGISTRATION structure specified during the ObRegisterCallbacks() function call, the registration of callback functions (ProcessPreCallback, ThreadPreCallback) for pre-operations related to handle creation and duplication for processes and threads (OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE) can be observed. As shown below, this callback function modifies the access permissions that were set when obtaining the handle for the protection target process to the minimum permission level. This modification makes it so that actions such as memory reading/writing and process termination cannot be performed.

Additionally, commands supported by Hidden include a feature to exclude specific designated processes from being hidden, and it maintains a separate process table to manage these exception processes. This table uses the PsSetCreateProcessNotifyRoutineEx() function to monitor the creation and termination of processes.

While not included in the rootkit used by HiddenGh0st, the source code does support process hiding functionality using Direct Kernel Object Manipulation (DKOM). The Windows kernel uses a structure called ‘EPROCESS’ to manage processes. EPROCESS is a doubly linked list structure where different processes are connected to each other. The rootkit receives the PID of the target process that will be hidden as an argument and accesses the EPROCESS of that process. It then checks the processes linked to Flink and Blink. Next, it links the processes that are connected before and after itself. Afterward, it ensures that its own Flink and Blink are pointing to itself, effectively excluding it from the doubly linked list of EPROCESS.

2.1.4. Hiding Registries

Hidden provides a registry key and value hiding feature and utilizes the CmRegisterCallbackEx() function for these operations. This function registers registry callback routines, and when registry-related operations occur, the registered callback routines are called first, providing control in this manner. The CmRegisterCallbackEx() function, like mini-filter drivers, also requires an altitude value. In Hidden, an arbitrary value of 320000 is used.

Hidden monitors the following 10 registry operations within its callback functions. In each of these functions, it checks whether the registry keys and values targeted by each operation are protected by the stealth command and whether the caller is an exempt process. Depending on these conditions, it may return values such as STATUS_ACCESS_DENIED or STATUS_NOT_FOUND, causing errors to occur upon performing lookups or making modifications impossible.

2.2. Hidden Rootkit of HiddenGh0st

HiddenGh0st creates the rootkit file contained in the DATA section under the path “%SystemDirectory%\drivers\QAssist.sys”. Depending on whether it’s an x86 or x64 architecture, it installs the respective rootkit. Afterward, it registers the created rootkit as the QAssist service, and the driver is loaded using the NtLoadDriver() function.

The Hidden rootkit created by HiddenGh0st differs from the original source code in two key ways. The first difference is that the routine responsible for reading and configuring “Hid_StealthMode” is modified, so even if this value is not set, the rootkit activates the hiding feature by default when the driver is loaded. The second difference is that the “Hid_HideImages” setting, which is responsible for hiding processes, is deactivated. Additionally, this matches the Hidden binary uploaded to GitHub, but this is because the process hiding feature was added after the binary compiled by the developer was uploaded.

The data set by HiddenGh0st is IgnoredImages, and since it operates as a service, it designates the service process as an exempt process.

The initial configuration includes only Hid_IgnoredImages, but the IOCTL command is later used to designate the stealth and exception target. First, the HiddenGh0st malware file and the HiddenGh0st service registered in the registry are added as targets to hide. Then, the HiddenGh0st process is added to the list of exception processes along with the “lsass.exe”, “lsm.exe”, and “audiodg.exe” system processes.

3. Conclusion

Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Admins must also use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.

V3 should be updated to the latest version so that malware infection can be prevented. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.

File Detection
– Malware/Win32.RL_Generic.R356012 (2020.11.22.01)
– Trojan/Win.Generic.C4446276 (2021.04.30.03)
– Malware/Gen.Generic.C3228648 (2019.05.09.04)

Behavior Detection
– Malware/MDP.Behavior.M29
– DefenseEvasion/MDP.Event.M1423

IOC
MD5
– 69cafef1e25734dea3ade462fead3cc9: HiddenGh0st
– 0d92b5f7a0f338472d59c5f2208475a3: Hidden x86 Rootkit (QAssist.sys)
– 4e34c068e764ad0ff0cb58bc4f143197: Hidden x64 Rootkit (QAssist.sys)

C&C
– leifenghackyuankong.e3.luyouxia[.]net:14688

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post HiddenGh0st Malware Attacking MS-SQL Servers appeared first on ASEC BLOG.

Article Link: HiddenGh0st Malware Attacking MS-SQL Servers - ASEC BLOG