Cybersecurity researchers have discovered a new malware strain dubbed Playfulghost, which comes with a variety of information-gathering capabilities. The malware's features include keylogging, screen capture, audio capture, remote shell access, and file transfer or execution.
According to Google’s Managed Defense team, Playfulghost exhibits functional similarities to Gh0st RAT, a remote administration tool whose source code was publicly leaked in 2008. This overlap suggests that the attackers may have built upon the legacy RAT's capabilities to develop the more advanced backdoor.
Playfulghost utilizes multiple initial access techniques, including emails with code of conduct-related lures to distribute malicious payloads. In one case, a malicious RAR archive disguised as an image file with a ".jpg" extension was used. When extracted, it deployed a Windows executable that downloads and executes Playfulghost from a remote server.
The technique tricks users into downloading compromised installers for legitimate VPN apps like LetsVPN. Once launched, the installer drops an interim payload responsible for fetching the backdoor components.
The infection chain uses advanced techniques such as DLL Search Order Hijacking and Side-Loading, malicious DLLs used to decrypt and load Playfulghost into memory.
Once deployed, Playfulghost enables attackers to collect a wide range of sensitive information, including keystrokes, screenshots, audio recordings,
QQ account details, clipboard content, system metadata, installed security products. It also can execute disruptive actions such as dropping additional payloads, blocking mouse and keyboard inputs, clearing Windows event logs, deleting browser caches and profiles for applications like Sogou, QQ, 360 Safety, Firefox, and Google Chrome, erasing profiles and local storage for messaging apps such as Skype, Telegram, and QQ.
Playfulghost also deploys additional tools like Mimikatz, a rootkit and Terminator (an open-source utility employed to terminate security processes via a Bring Your Own Vulnerable Driver (BYOVD) attack) to enhance its functionality.
In one instance, Mandiant researchers observed a Playfulghost payload embedded within Boostwave, a shellcode-based in-memory dropper designed to deliver appended Portable Executable (PE) payloads.