Gh0st RAT is a remote control malware developed by the C. Rufus Security Team from China. Due to its source code being publicly available, malware developers use it as a reference as they continue developing numerous variants that are still actively used in attacks. Although the source code is public, Gh0st RAT is mainly used by threat actors based in China. Cases of Gh0stCringe RAT, a variant of Gh0st RAT, being distributed targeting database servers (MS-SQL, MySQL servers) were disclosed in a previous blog post. 
Numerous variants of Gh0st RAT are often used in attacks targeting MS-SQL servers. AhnLab Security Emergency response Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and publishes quarterly statistics through the ASEC Reports. The statistics categorize malware according to major categories such as backdoor, Trojan, HackTool, CoinMiner, etc., and they also cover the specific malware that are used in attacks within each category. Based on statistics from the second quarter of 2023, Gh0st RAT variants accounted for 29.0% of attack cases, making them the second most common, just behind Remcos RAT. 
ASEC has recently confirmed the distribution of a Gh0st RAT variant, which installs the Hidden rootkit, targeting poorly managed MS-SQL servers. Hidden, an open-source rootkit publicly accessible on GitHub, offers features that include hiding files, registry entries, and even itself, as well as providing the ability to protect processes.  Threat actors can potentially leverage these features to hide the presence of malware infections from users or hinder the removal of malware.
In this blog, the Gh0st RAT variant that installs the Hidden rootkit will be classified as HiddenGh0st. HiddenGh0st has been identified since at least 2022 and is still being distributed. Given the additional features added by the threat actor, including the ability to steal information from QQ Messenger, a platform predominantly utilized by Chinese users, it is suspected that Chinese users are the main target of these attacks.
1. Analysis of HiddenGh0st
1.1. Initial Configuration
HiddenGh0st is distributed in a packed state to evade file detection. After decrypting the actual PE file encrypted in the DATA section, it is executed in the memory. At the same time, the configuration data is also transmitted in the size of 0x848.
The transmitted configuration data is as follows. It not only includes the C&C URL, but it also supports a variety of configurations, such as the installation method, the name of the installation path and file, and whether to activate the rootkit.
|0x0000||“leifenghackyuankong.e3.luyouxia[.]net”||C&C server address|
|0x0258||0x3960 (14688)||C&C server port number|
|0x0260||“6gkIBfkS+qY=”||Keylogging file name (“Default” upon being decrypted)|
|0x0292||“tdC2pg==”||Version information (“1.0” upon being decrypted)|
|0x02b2||“QQ进程保护程序”||Service name (Service mode)|
|0x0316||“TX QQ”||Service display name (Service mode)|
|0x0396||SERVICE_DESCRIPTION||Service configuration data (Service mode)|
|0x0496||“5750b8de793d50a8f9eaa777adbf58d4”||BITS registry configuration data|
|0x0598||0x0000||External IP lookup status|
|0x059C||0x0001||Installation mode #1: Service|
|0x05A0||0x0000||Installation mode #2: Startup Folder|
|0x05A8||“%SystemRoot%\System32\”||Installation path name (Service mode)|
|0x060C||“QQ进程保护程序.exe”||Installation file name|
|0x063E||0x0008||Size of appended dummy data|
|0x0640||0x0007||Property assigned to malware (Service mode)|
Many of the configuration data include options that are deactivated, and one notable example is the URL used by the downloader thread. If the threat actor had set a download URL, it is likely that the download of additional malware from an external source would have also occurred upon executing the HiddenGh0st.
Among the deactivated configuration data, there is also an option to activate a feature that retrieves the infected system’s public IP address. If this feature is enabled, the public IP address from http://www.taobao.com/help/getip.php will be obtained and included in the data sent to the C&C server.
1.2. Installation Process
1.2.1. Installation Mode #1 – Service
If the installation mode specified in the configuration data is set to “Service”, the installation time of the current malware is first saved in the MarkTime value of the key in HKLM\SYSTEM\Select. Then, HiddenGh0st references the configuration data to copy the malware and register it as a service. By specifying the “-auto” argument during service registration, the malware is subsequently launched with the same “-auto” argument while operating as a service.
Additionally, the configuration data also includes the size of the dummy data that will be appended. When the configuration value is 0x0008, a 0x00800000-sized dummy data is appended to the end of the malware. Once the process reaches this point, the service is executed and the following command is used to delete the original file. If HiddenGh0st operates as a service, it executes itself again with the argument “-acsi” and then the main routine proceeds.
|> C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del [Malware path] > nul|
1.2.2. Installation Mode #2 – Startup Folder
If the installation method is set to “Startup Folder” in the configuration data that is transmitted when the malware is executed, HiddenGh0st maintains persistence by copying itself to the startup folder instead of registering as a service. First, saving the installation time in the MarkTime value of the HKLM\SYSTEM\Select key is the same as when the installation mode is service. Afterward, HiddenGh0st copies the currently running malware to the startup folder. A notable characteristic of this process is the use of the DefineDosDeviceA() API to create a symbolic link for the target path of the copy and its use in the copy process. The string “\.\agmkis2” is used as the name of the symbolic link.
The copied malware is then given the hidden attribute and the dummy data is added as per the configuration. Once this process is complete, the copied malware is executed, and the original malware deletes itself.
1.3. Transmission of Infected System Information
HiddenGh0st, much like the typical Gh0st RAT, collects and transmits basic information about the infected system to the C&C server after communication has been established.
|0x0004||Windows version information|
|0x00A4||Number of CPUs|
|0x00A8||Public IP address|
|0x00AC||Private IP address|
|0x00B0||Host name of the infected system|
|0x01B0||Number of webcams|
|0x01B4||Internet connection delay time|
|0x01B8||Network interface speed|
|0x01C0||Local disk capacity|
|0x01C4||“Default” string (decrypted from the configuration data) or the “5750b8de793d50a8f9eaa777adbf58d4” value of the BITS registry|
|0x01F6||System boot time|
|0x0236||List of installed security products|
|0x026C||Malware installation time (MarkTime)|
|0x029E||Logged in QQ Messenger number|
|0x03A0||Whether 3 minutes has passed since the last key input|
|0x03A4||Internet connection status (MODEM, LAN, PROXY)|
The information about installed security products is obtained by checking if the names of currently running processes contain any of the following keywords.
|“360tray.exe”, “360sd.exe”, “kxetray.exe”, “KSafeTray.exe”, “QQPCRTP.exe” ,”HipsTray.exe” ,”BaiduSd.exe” ,”baiduSafeTray.exe” ,”KvMonXP.exe” ,”RavMonD.exe” ,”QUHLPSVC.EXE” ,”QuickHeal” ,”mssecess.exe” ,”cfp.exe”, “SPIDer.exe”, “DR.WEB”, “acs.exe”, “Outpost”, “V3Svc.exe” ,”AYAgent.aye” ,”avgwdsvc.exe” ,”AVG” ,”f-secure.exe” ,”F-Secure” ,”avp.exe” ,”Mcshield.exe”, “NOD32”, “knsdtray.exe”, “TMBMSRV.exe”, “avcenter.exe”, “ashDisp.exe” ,”rtvscan.exe” ,”remupd.exe” ,”vsserv.exe”, “BitDefender”, “PSafeSysTray.exe”, “ad-watch.exe”, “K7TSecurity.exe”, “UnThreat.exe”, “UnThreat”|
Among the data transmitted to the C&C server by HiddenGh0st, the QQ number of the currently running QQ Messenger is also included. Since QQ Messenger is primarily used by users who can communicate in Chinese, it is speculated that the threat actor’s main targets are Chinese-speaking users.
HiddenGh0st compresses the 0x3BC size data obtained in this way and then prepends 0x0F size data to it. The prepended data includes information such as the signature string “hx”, the size of the data to be sent, and the original data’s size. The original Gh0st RAT used a signature string called “Gh0st” just like its name to communicate with the C&C server. Nonetheless, due to the public availability of its source code, Gh0st RAT has spawned numerous variants, and it is worth noting that in the past, Gh0stCringe RAT also employed “xy” as its signature string.
|0x00||0x03||“hx “||Signature string|
|0x03||0x04||0x000000AB||Size of the data to be sent (0x9C + 0x0F that is the size of the compressed file)|
|0x07||0x04||0x000003BC||Size of the original data|
The data ultimately goes through an encryption process before being sent to the C&C server.
1.4. Performing Commands
The threat actor based HiddenGh0st on the original Gh0st RAT when developing it, so it supports basic commands similar to those in the original Gh0st RAT, such as FileManager, ScreenManager, KeyboardManager, SystemManager, ShellManager, etc. Of course, HiddenGh0st supports many more commands. Below is a list of commands that can be received from the C&C server for execution. Only the main categories have been categorized here, so it should be known that each command is actually responsible for many more features. Commands that operate as threads and continuously send data to the C&C server use port 80 of the C&C server.
|0x01||[FileManager] File management: Looks up file, uploads, downloads, deletes, renames, executes, decompresses via WinRAR, etc.|
|0x0A||Service management: Looks up service, starts, deletes, changes settings, etc.|
|0x0B||Process check: Checks whether it is currently running|
|0x0C||Windows check: Checks whether it is currently running|
|0x10||[ScreenManager] Captures screen, exfiltrates and changes clipboard contents|
|0x1D||Terminates explorer (explorer.exe)|
|0x1E||Deletes Internet Explorer cache|
|0x34||Exfiltrates QQ Messenger information|
|0x36||[SystemManager] System management: Collects the list of processes/Windows supported by Gh0st RAT, steals Dialup account information, and has features to terminate processes. Furthermore, executes commands, controls threads, collects/modifies host files, etc.|
|0x49||Sets the HKLM\SYSTEM\CurrentControlSet\Services\BITS / 5750b8de793d50a8f9eaa777adbf58d4 value|
|0x4A||[ShellManager] Remote shell: Remote shell feature supported by Gh0st RAT. Furthermore, steals account credentials via Mimikatz|
|0x4B||Shuts down computer|
|0x52||Etc: Opens/Closes CD-ROM, hides/reveals taskbar, switches left and right mouse buttons, etc.|
|0x60||Download and execute files from an external source|
|0x62||Copies malware to the startup folder|
|0x64||Creates and executes file (HIDE)|
|0x65||Creates and executes file (SHOW)|
|0x66||Plugin installation: Downloads and executes the plugin.dll file|
|0x67||URL connection: Connects to a specific website via Internet Explorer (HIDE)|
|0x68||URL connection: Connects to a specific website via Internet Explorer (SHOW)|
|0x69||Sets the HKLM\SYSTEM\Setup/Host value|
|0x6D||Remote control-related: Activates/deactivates remote desktop, changes remote desktop port number, activates guest account, activates Internet sharing, configures/deletes user account, etc.|
|0x8A||Speculated as plugin-related: Looks up file, downloads/uploads, loads in the memory and executes|
Due to the wide range of features provided by HiddenGh0st, it offers even more features on top of the features supported by the original Gh0st RAT and the typical RAT malware.
At the initial execution stage, there were two encoded strings received as arguments from the configuration data. One is the string “1.0”, which is presumed to be the version information of the malware, and the other is the string “Default”. The latter is presumed to be used as an identifier for the malware since it is sent to the C&C server along with information about the infected system. If the threat actor activates the keylogger command, the collected keylogging data is saved in the %SystemDirectory% path, and the file name used is the string “6gkIBfkS+qY=.key”, which is the “Default” string before being decrypted.
HiddenGh0st has a feature that installs Mimikatz, allowing it to steal account credentials from infected systems. In addition to the remote shell, the ShellManager class, responsible for the remote shell feature in the original Gh0st RAT, includes a command that installs Mimikatz under the name “GetMP.exe” and executes the following command. The malware transmits the account credentials collected from infected systems through processes like these to the C&C server.
|> GetMP privilege::debug sekurlsa::logonpasswords exit\r\n|
Among the newly added commands, there are many features related to remote control using RDP. These features can activate remote desktop or Internet sharing, change the port number for the remote desktop, and even use a command like the one below to enable guest accounts and register them in the administrator group.
|> net user guest /active:yes && net user guest 123456 && net localgroup administrators guest /add|
In addition, it also includes features that were supported by past RAT malware, such as commands to delete the cache of Internet Explorer, open or close the CD-ROM, hide the taskbar, and swap the left and right buttons of the mouse.
|> cmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255|
Although the specific purpose has not been confirmed, a feature exists among the commands that sets the registry key value like the following. If the value “5750b8de793d50a8f9eaa777adbf58d4” is set through the threat actor’s command, it will be included with the basic information that HiddenGh0st transmits to the C&C server.
- HKLM\SYSTEM\CurrentControlSet\Services\BITS / 5750b8de793d50a8f9eaa777adbf58d4
- HKLM\SYSTEM\Setup / Host
2. Analysis of HiddenGh0st’s Rootkit
Hidden is an open-source rootkit driver publicly available on GitHub. It utilizes mini-filter drivers and kernel callback functions provided by the latest operating systems to hide files and registries, as well as protect processes. Due to these features, if used for malicious purposes, it can be employed to hide malware and prevent the termination of malicious processes. The CoinMiner known as PurpleFox also customized Hidden and utilized it in its attacks to hide the malware and obstruct removal efforts. 
HiddenGh0st installs the internally embedded Hidden rootkit during the execution process and uses it for the purpose of hiding and protecting the malware that acts as a backdoor. In this section, we will first analyze the basic features of the Hidden rootkit before outlining the process through which HiddenGh0st utilizes Hidden.
2.1. Analysis of Hidden Rootkit
2.1.1. Basic Operation
Hidden first reads the Config registered in the installation registry. These registry values are the configuration data automatically loaded and applied when the rootkit driver is loaded. For example, the following registry values were generated to transmit 4 commands.
After reading the initial configuration data, the initialization process of the process monitor, mini-filter, registry filter, and so on begins. Once each initialization process is completed, its protection and hiding features are performed based on the read configuration data. Finally, Stealth Mode, which is responsible for hiding the driver itself, can be initiated by referencing the hide settings, specifically the “Hid_StealthMode” value that can be set in the above registry. Stealth Mode hides the files and registry keys of Hidden, making it impossible to stop the corresponding services. Instead, a tool called HiddenCLI.exe can be used to deliver commands to deactivate and restore the driver.
|Hid_HideRegKeys||Hides registry key|
|Hid_HideRegValues||Hides registry value|
|Hid_IgnoredImages||Specifies exception process|
|Hid_ProtectedImages||Specifies protection process|
Additionally, HiddenCLI.exe uses the following IOCTL when transmitting commands to the Hidden driver.
|HID_IOCTL_SET_DRIVER_STATE||0x800||Sets driver status (Activate/Deactivate)|
|HID_IOCTL_GET_DRIVER_STATE||0x801||Returns current driver status|
|HID_IOCTL_SET_STEALTH_MODE||0x802||Sets stealth mode|
|HID_IOCTL_ADD_HIDDEN_OBJECT||0x83C||Adds stealth target|
|HID_IOCTL_REMOVE_HIDDEN_OBJECT||0x83D||Removes stealth target|
|HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECT||0x83E||Removes all stealth targets|
|HID_IOCTL_ADD_OBJECT||0x846||Adds exception/protection process|
|HID_IOCTL_GET_OBJECT_STATE||0x847||Returns exception/protection process status|
|HID_IOCTL_SET_OBJECT_STATE||0x848||Sets exception/protection process status|
|HID_IOCTL_REMOVE_OBJECT||0x849||Removes exception/protection process|
|HID_IOCTL_REMOVE_ALL_OBJECT||0x84A||Removes all exception/protection processes|
2.1.2. Hiding Files
Hidden utilizes a file system mini-filter driver to hide files. File system filter drivers are kernel-mode components provided by Windows that allow monitoring and modification of file system requests such as opening, reading, and modifying files and directories. Mini-filter drivers are models that can control file systems using the Windows filter manager. As mentioned above, this allows file-related activities to be monitored and controlled without using kernel mode hooking techniques.
In Hidden, the monitored I/O operations include IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL. IRP_MJ_CREATE is triggered when a handle is opened for a file or device object, and Hidden registers a pre-operation callback for this request. IRP_MJ_DIRECTORY_CONTROL is triggered when a directory is looked up, and Hidden registers both the pre-operation and post-operation callbacks for this request.
When monitoring IRP_MJ_CREATE, if the name of the file or directory targeted for handle opening matches an entry in the stealth target list, Hidden blocks access to them by returning STATUS_NO_SUCH_FILE. In the case of directory lookups, when monitoring IRP_MJ_DIRECTORY_CONTROL, Hidden removes the stealth target files and directories from the information obtained as a result of the request if the request matches an entry in the stealth list, effectively rendering them imperceptible to the user.
The filter manager loads each mini-filter driver at a unique altitude when registering them. Mini-filter drivers cannot be loaded with duplicate values, and Microsoft manages these altitudes for driver files. Additionally, Hidden is not an officially signed and registered driver, but in open-source, it uses 370030 as its altitude. (This is the same value as the altitude of Microsoft’s example mini-filter driver called passThrough.sys)
2.1.3. Protecting and Hiding Processes
Hidden provides a process protection feature and utilizes the ObRegisterCallbacks() function for these operations. This function registers callback routines that receive notifications about specific pre- and post-operations related to process and thread objects. Therefore, callback routines for actions such as the creation and duplication of handles for each object are registered, providing control by calling the registered callback routine first whenever a relevant operation occurs. The ObRegisterCallbacks() function, like mini-filter drivers, also requires an altitude value and designating it as 1000 is a characteristic of this function.
When looking at the OB_OPERATION_REGISTRATION structure specified during the ObRegisterCallbacks() function call, the registration of callback functions (ProcessPreCallback, ThreadPreCallback) for pre-operations related to handle creation and duplication for processes and threads (OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE) can be observed. As shown below, this callback function modifies the access permissions that were set when obtaining the handle for the protection target process to the minimum permission level. This modification makes it so that actions such as memory reading/writing and process termination cannot be performed.
Additionally, commands supported by Hidden include a feature to exclude specific designated processes from being hidden, and it maintains a separate process table to manage these exception processes. This table uses the PsSetCreateProcessNotifyRoutineEx() function to monitor the creation and termination of processes.
While not included in the rootkit used by HiddenGh0st, the source code does support process hiding functionality using Direct Kernel Object Manipulation (DKOM). The Windows kernel uses a structure called ‘EPROCESS’ to manage processes. EPROCESS is a doubly linked list structure where different processes are connected to each other. The rootkit receives the PID of the target process that will be hidden as an argument and accesses the EPROCESS of that process. It then checks the processes linked to Flink and Blink. Next, it links the processes that are connected before and after itself. Afterward, it ensures that its own Flink and Blink are pointing to itself, effectively excluding it from the doubly linked list of EPROCESS.
2.1.4. Hiding Registries
Hidden provides a registry key and value hiding feature and utilizes the CmRegisterCallbackEx() function for these operations. This function registers registry callback routines, and when registry-related operations occur, the registered callback routines are called first, providing control in this manner. The CmRegisterCallbackEx() function, like mini-filter drivers, also requires an altitude value. In Hidden, an arbitrary value of 320000 is used.
Hidden monitors the following 10 registry operations within its callback functions. In each of these functions, it checks whether the registry keys and values targeted by each operation are protected by the stealth command and whether the caller is an exempt process. Depending on these conditions, it may return values such as STATUS_ACCESS_DENIED or STATUS_NOT_FOUND, causing errors to occur upon performing lookups or making modifications impossible.
2.2. Hidden Rootkit of HiddenGh0st
HiddenGh0st creates the rootkit file contained in the DATA section under the path “%SystemDirectory%\drivers\QAssist.sys”. Depending on whether it’s an x86 or x64 architecture, it installs the respective rootkit. Afterward, it registers the created rootkit as the QAssist service, and the driver is loaded using the NtLoadDriver() function.
The Hidden rootkit created by HiddenGh0st differs from the original source code in two key ways. The first difference is that the routine responsible for reading and configuring “Hid_StealthMode” is modified, so even if this value is not set, the rootkit activates the hiding feature by default when the driver is loaded. The second difference is that the “Hid_HideImages” setting, which is responsible for hiding processes, is deactivated. Additionally, this matches the Hidden binary uploaded to GitHub, but this is because the process hiding feature was added after the binary compiled by the developer was uploaded.
The data set by HiddenGh0st is IgnoredImages, and since it operates as a service, it designates the service process as an exempt process.
The initial configuration includes only Hid_IgnoredImages, but the IOCTL command is later used to designate the stealth and exception target. First, the HiddenGh0st malware file and the HiddenGh0st service registered in the registry are added as targets to hide. Then, the HiddenGh0st process is added to the list of exception processes along with the “lsass.exe”, “lsm.exe”, and “audiodg.exe” system processes.
Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Admins must also use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.
V3 should be updated to the latest version so that malware infection can be prevented. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.
– Malware/Win32.RL_Generic.R356012 (2020.11.22.01)
– Trojan/Win.Generic.C4446276 (2021.04.30.03)
– Malware/Gen.Generic.C3228648 (2019.05.09.04)
– 69cafef1e25734dea3ade462fead3cc9: HiddenGh0st
– 0d92b5f7a0f338472d59c5f2208475a3: Hidden x86 Rootkit (QAssist.sys)
– 4e34c068e764ad0ff0cb58bc4f143197: Hidden x64 Rootkit (QAssist.sys)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.