GhostAdmin: The Invisible Data Thief - Notes from the Underground

February 27, 2017 | jkisielius@alienvault.com
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

ghostadmin is bot for data exfiltration

Data theft is a major threat to businesses in today’s economy. With large corporations like Arby’s, Popeye’s, and Intercontinental Hotels all reporting breaches since the beginning of this year alone, it’s essential for IT professionals to keep an eye out for emerging threats that target valuable user data.

Just last month, researchers at MalwareHunterTeam discovered a relatively new botnet called GhostAdmin that quietly siphons data from infected devices while it masquerades as a legitimate antivirus tool and obscures the symptoms of its attack with specialized features. Its network of infected devices is still small, but it has already been used to steal hundreds of gigabytes of data from large companies, making it a threat you need to understand and watch out for.

GhostAdmin is a botnet, a type of malware that ope­rates by creating a network of infected host machines (a robotic network) that are all controlled by the botnet’s owner. While a single device may or may not be useful on its own, leveraging an entire network of devices provides rocket fuel for almost anything that a botnet owner wants to accomplish.

For example, you may remember when the high-profile Mirai botnet was in the news last year for causing widespread internet outages with its distributed denial-of-service (DDoS) attack against Dyn DNS. Mirai executed that attack by first creating a network of Internet of Things (IoT) devices and then commanding them to flood Dyn with traffic. The power of a botnet’s network can also be used to spy on a victim’s personal information, distribute malware, and steal huge amounts of data, which is how GhostAdmin has been used so far.

GhostAdmin infects PCs by mimicking well-known security tools that users might be inclined to trust and download. One version of GhostAdmin posed as Symantec Endpoint Protection, and a related variant called Zodiac mixed the Avast product name with the logo for Avira. Even a user with a vague awareness of security precautions could mistake it for legitimate software and be convinced to download the malware. Once a device has been compromised, the botnet is designed to cover its tracks and keep users in the dark about its presence. For example, it can remove log files, wipe internet history, and self-terminate, and its own components may mimic ordinary Windows files. The botnet is also able to gain boot persistence, meaning that restarting an infected device will not remove the malware.

While GhostAdmin has mostly been used for data theft, its available commands give the botnet owner the power to take over devices, spy on users, download data, and install more software for other nefarious purposes. GhostAdmin operates by establishing an infected Internet Relay Command (IRC) channel that the botnet’s owner can use for Command and Control (C&C). Using the IRC channel, the owner can execute requests for infected devices to download files, record audio, take screenshots, copy files, enable remote desktop, and more. Stolen data is sent to the botnet owner’s File Transfer Protocol (FTP) server, and the owner is notified each time the malware is used.

GhostAdmin’s network of infected computers is still small. Two large companies – an internet cyber café and a lottery website - have been reported as presumed victims of live attacks so far. Several hundred gigabytes of data were downloaded from the cyber café alone. From the lottery website, the botnet downloaded a database containing sensitive customer information including names, addresses, email addresses, birthdates, and employers.

Given that almost every business stores some type of customer data that might intrigue a malicious actor, the nature of these attacks should put most IT professionals on alert. Although GhostAdmin’s network is still small, botnets are often structured to grow rapidly, using one infected machine to reach many others in rapid succession. GhostAdmin, which is written in C# and is on version 2.0, is based on a botnet family called CrimeScene that was prevalent 3-4 years ago and could easily replicate its predecessor’s widespread success.

Training users to be able to spot risky downloads can help reduce the chances of an infection. However, all it takes for a botnet like GhostAdmin to compromise your customer data is a single user who downloads a compromised file and accidentally puts the rest of your network at risk. For this reason, if you detect GhostAdmin on one of your devices, it’s important to disconnect the infected device while you repair it and scan all other devices to make sure the infection hasn’t spread. More importantly, you need to monitor your network for unusual behavior to detect intrusions and make sure your security plan includes continuously updated threat intelligence related to this and other emerging and evolving threats to keep your organization safe.

How AlienVault Can Help

The AlienVault Unified Security Management (USM) platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to botnet-related threats like GhostAdmin. Combined with the continuously updated threat intelligence delivered by the AlienVault Labs Security Research Team, you can be confident that as new threats emerge and existing threats evolve, you will have the latest threat information about the threat actors, their methods, infrastructure, and tools, and you can respond effectively and quickly.

The AlienVault Labs team recently updated the known threat information related to GhostAdmin, delivering the updates directly to all USM Anywhere and USM Appliance systems across the globe. Learn more about this update and other threat intelligence updates made in the Threat Intelligence Update summary posted on Forums.

In addition to the threat intelligence delivered by the AlienVault Labs Security Research Team, AlienVault also hosts Open Threat Exchange (OTX), the world’s first truly open and free threat intelligence community that enables collaborative defense with actionable, community-powered threat data. OTX has 53,000 users and collects over 10 million threat indicators daily, processes those indicators, and is leveraged by the AlienVault Labs team to provide a truly 360 degree view of the threat actors, their tools, infrastructure, and methods. The best part of Open Threat Exchange is…it’s free to use either with USM or with your other security tools.

Don’t have an OTX account today? Sign up.

jkisielius@alienvault.com

About the Author: jkisielius@alienvault.com, AlienVault
Julia joined AlienVault as a Product Marketing Manager in February 2017. Previously, she was a product manager at Giving Docs, an early-stage startup that makes fundraising software for nonprofits. Before that, she worked on data products and processes to help Tufts University fundraisers raise more than $80M per year. Julia started her career at an asset management firm with $200M under management, where she researched, edited, fact-checked, and promoted financial literacy resources such as books and columns. She graduated from the University of Connecticut with a B.A. in English.
Read more posts from jkisielius@alienvault.com ›

‹ BACK TO ALL BLOGS