Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
JR02-2009 <strong>Tracking</strong> <strong>GhostNet</strong> - PART TWO<br />
37<br />
The gh0st RAT tool attempts to connect to IP addresses of a DSL provider in Hainan, China:<br />
• xxxxxxxxxxxx.broad.hk.hi.dynamic.163data.com.cn<br />
• xxxxxxxxxxxx.broad.hk.hi.dynamic.163data.com.cn<br />
• xxxxxxxxxxxx.broad.hk.hi.dynamic.163data.com.cn<br />
• xxxxxxxxxxxx.broad.hk.hi.dynamic.163data.com.cn<br />
• xxxxxxxxxxxx.broad.hk.hi.dynamic.163data.com.cn<br />
• xxxxxxxxxxxx.broad.hk.hi.dynamic.163data.com.cn<br />
After a successful connection, the attacker(s) proceed to issue commands on our infected<br />
computer in real-time.<br />
We found similar but unsuccessful connections to the same IP address range from some of the<br />
infected computers we analysed and discovered that a rudimentary version of the web-based<br />
administration interface contained only one infection from the same IP address range in Hainan.<br />
In addition, one of the servers used to host the attacker(s)’ malicious files is a Government of<br />
Hainan web server located in Hainan, and one of the control server interfaces we gained access<br />
to is also located in Hainan. However, one should not rush to judgement concerning the identity<br />
of the attacker(s) based on this location. The gh0st RAT software can be configured with a proxy<br />
server; therefore it is possible that the attacker(s) were using a compromised system as a proxy to<br />
hide their true location.<br />
Command results<br />
The Command Result page lists the commands issued through the Send Command page and the<br />
status of those commands. Each entry in this interface shows what command was sent to the<br />
infected computer, including the URL to the command server and the command file (the malicious<br />
file disguised as an image). Upon the successful completion of a command, the relevant date, time,<br />
and result are recorded. (See Fig. 11 - p. 38)<br />
The Command Result page contains a column that displays the content sent back to the control<br />
server from the infected computer. The command issued to retrieve this content in the Send<br />
Command interface is labelled “Acquire System Information.” Even though we have been unable<br />
to properly decode the content, 47 the plain text values in the binary content indicate that these<br />
entries contain information about the infected computer (CPU, memory, operating system,<br />
programmes installed) as well as file names of documents on the computer, presumably for later<br />
retrieval. This information is likely used to determine which targets the attacker(s) will further<br />
exploit and control using remote administration tools such as gh0st RAT.<br />
47 The content is base64 encoded and XORed with values we have yet to identify.