6 January 2025

New Playfulghost multifunctional backdoor weaponizes VPN apps


New Playfulghost multifunctional backdoor weaponizes VPN apps

Cybersecurity researchers have discovered a new malware strain dubbed Playfulghost, which comes with a variety of information-gathering capabilities. The malware's features include keylogging, screen capture, audio capture, remote shell access, and file transfer or execution.

According to Google’s Managed Defense team, Playfulghost exhibits functional similarities to Gh0st RAT, a remote administration tool whose source code was publicly leaked in 2008. This overlap suggests that the attackers may have built upon the legacy RAT's capabilities to develop the more advanced backdoor.

Playfulghost utilizes multiple initial access techniques, including emails with code of conduct-related lures to distribute malicious payloads. In one case, a malicious RAR archive disguised as an image file with a ".jpg" extension was used. When extracted, it deployed a Windows executable that downloads and executes Playfulghost from a remote server.

The technique tricks users into downloading compromised installers for legitimate VPN apps like LetsVPN. Once launched, the installer drops an interim payload responsible for fetching the backdoor components.

The infection chain uses advanced techniques such as DLL Search Order Hijacking and Side-Loading, malicious DLLs used to decrypt and load Playfulghost into memory.

Once deployed, Playfulghost enables attackers to collect a wide range of sensitive information, including keystrokes, screenshots, audio recordings,

QQ account details, clipboard content, system metadata, installed security products. It also can execute disruptive actions such as dropping additional payloads, blocking mouse and keyboard inputs, clearing Windows event logs, deleting browser caches and profiles for applications like Sogou, QQ, 360 Safety, Firefox, and Google Chrome, erasing profiles and local storage for messaging apps such as Skype, Telegram, and QQ.

Playfulghost also deploys additional tools like Mimikatz, a rootkit and Terminator (an open-source utility employed to terminate security processes via a Bring Your Own Vulnerable Driver (BYOVD) attack) to enhance its functionality.

In one instance, Mandiant researchers observed a Playfulghost payload embedded within Boostwave, a shellcode-based in-memory dropper designed to deliver appended Portable Executable (PE) payloads.


Back to the list

Latest Posts

Massive botnet abuses misconfigured DNS records to deliver malware

Massive botnet abuses misconfigured DNS records to deliver malware

The threat actor took advantage of SPF records with an overly permissive configuration option, which allows any server to send emails on behalf of a domain.
16 January 2025
Russia-linked hackers increasingly exploiting legitimate services in Ukraine to carry out cyberattacks

Russia-linked hackers increasingly exploiting legitimate services in Ukraine to carry out cyberattacks

Most of the cyberattacks targeting Ukraine over the past year were intended for espionage, financial theft, or to inflict psychological damage.
16 January 2025
Codefinger hackers target Amazon S3 buckets with encryption attacks

Codefinger hackers target Amazon S3 buckets with encryption attacks

The attacks rely on AWS's Server-Side Encryption with Customer-Provided Keys (SSE-C) feature.
15 January 2025