AhnLab Security Intelligence Center (ASEC) has uncovered a series of cyberattacks targeting Korean internet cafés, involving remote access trojans (RATs) and cryptocurrency mining malware. According to ASEC, the attacks began in the second half of 2024 and are believed to be carried out by a threat actor active since 2022.
The attackers focused on internet café systems running specialized management software used to track customer usage and automate billing. The systems, typically equipped with powerful GPUs for gaming, were infected with Gh0st RAT, the well-known remote control tool originally developed by the Chinese C. Rufus Security Team.
Once inside the system, the attackers deployed T-Rex CoinMiner, a GPU-based miner that targets cryptocurrencies like Ethereum and RavenCoin. The method of initial access remains unknown, but the attacks mainly affected computers running Korean internet café management software.
Gh0st RAT, often used by Chinese-speaking threat actors, allows full remote control over an infected device, including file manipulation, keylogging, screen capture, and process management. The attackers used dropper malware to install Gh0st RAT and additional tools such as the Patcher malware to alter the memory of installed management programs, likely to evade detection and maintain persistence.
Interestingly, logs indicate that a few infections occurred on guest PCs, suggesting that the dropper may have been spread through client-side processes in some cases.
While similar attacks typically utilize the XMRig miner to generate Monero, this campaign uses T-Rex, which suggests attackers’ aim to exploit the GPU capabilities of café systems for higher mining efficiency.
ASEC notes that the developer of the affected management software appears to be actively responding to the threat. Its website now includes a list of processes blocked by malware, indicatng ongoing efforts to mitigate the risk.