FireEye finds Gh0stRAT cyberespionage campaigns continue

Many advanced persistent threat attacks use the malware, believed to have been developed in China

A well-known cyber-spying tool called Gh0st RAT is still being employed in stealthy malware attacks, according to a new report from security firm FireEye.

FireEye, which specializes in malware detection, released data it collected from hundreds of its customers during 2012. It looked at 12 million different reports of suspicious activity, around 2,000 of which were classified as "advanced persistent threats" (APTs), the security industry's term for sophisticated, hard-to-detect attacks aimed at the long-term infiltration of organizations.

Most of those 2,000 incidents employed Gh0st RAT, a remote access tool believed to have been developed in China that allows attackers to steal information from a victim's computers. In 2009, researchers with the Information Warfare Monitor, a computer security research project, and the University of Toronto reported an extensive cyber espionage campaign using Gh0st RAT that targeting more than 1,000 computers in 103 countries.

Gh0st RAT is "a real important part of many types of APT campaigns because it is an effective tool," said Rob Rachwald, FireEye's senior director of market research.

FireEye's report broadly looks at how attackers extract information from victims and control their malware on infected computers, or "callback" activity. Their data from 2012 shows that attackers are using command-and-control servers to deliver instructions to malware in 184 countries now, a 42 percent increase over 2010.

South Korea has a concentration of callback activity. The servers of technology companies tend to be targeted by hackers to communicate with their infected machines. "I think the fact that they've been traditionally one of the most connected nations in the world is probably another driver for this," Rachwald said.

FireEye's report said "in a sense, South Korea is plagued by RATs [remote access tools]. It is clear from the 2012 data that South Korea is one of the top callback destinations in the world and that some of the country's callback activities are associated with more targeted attacks."

Hackers were also inserting stolen information into JPEG image files in order to make the data look more like normal traffic. The malware also used social networking sites such as Twitter and Facebook to place instructions for infected machines, FireEye said.

The company noticed other changes in hackers' behavior. Usually, command-and-control servers were located in a different country than the victim. Now they are locating the command infrastructure in the same country in order to make the traffic look normal.

But for some countries, hackers didn't bother with control servers in a target's country. Canada and the U.K. both had high percentages of callback traffic going overseas. Attackers perhaps didn't do that in those countries because "they knew they weren't going to get detected," Rachwald said.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachFireEyeExploits / vulnerabilitiesdata protectionmalware

More about APTFacebookFireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts