MENU
AVP for Institutionalization 2018

DILG STRATEGIC DIRECTION AVP

ACG-CYBER SECURITY BULLETIN NO 122 UNDERSTANDING GHOST RAT MALWARE

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Ghost RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks.  It is a cyber spying computer program.  The “Rat” part of the name refers to the software’s ability to operate as a “Remote Administration Tool”.

A GhostRat is a type of harmless malware which is usually unwanted on a system.  This usually monitors the behavior of the user to unleash targeted pop-up advertisements that degrades the computer performance.

GhostRat enters into a vulnerable machine via user download.  When a browser is opened, GhostRat begins running in the background and disguise as a program designed to improve user’s experience and functionality.  It only engaged in capturing information or attempting to advertise unwanted products and service.

Once installed, Ghost allows an attacker to take full control of the infected endpoint, log keystrokes, provide live webcam and microphone feeds, download and upload files, and other powerful features.  Another feature of Ghost RAT is the ability to obfuscate the client-server `communication using a proprietary network protocol.  This is wrapped up with a number of intuitive graphical user interfaces to make malicious remote control simple.

To avoid falling prey to these attacks, we highly encourage users to always be cautious before opening any attachments or clicking links contained in e-mail messages. It is fairly common for attackers to spoof government agencies and other institutions, thus users must verify the legitimacy of the e-mail they receive.

RECOMMENDATION

            All PNP personnel as well as the public are advised to follow the best practices listed for securing and protecting information whether for personal use or for work, to wit:

  • Delete any suspicious-looking e-mails received especially if links and/or attachments appear;
  • Use an anti-malware program to scan and remove threats;
  • Start Windows in Safe Mode;
  • Clean your Windows Registry;
  • Reduce exposure to infected sites and be cautious with e-mail attachments;
  • Use the keyword “HTTPS” at the beginning of each communication packet; and
  • Provide additional endpoint protection in your machines.

 

For additional information, please refer to the following websites:

 

  • https://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-in-taiwan-uses-infamous-gh0st-rat/
  • https://cysinfo.com/hunting-and-decrypting-communications-of-gh0st-rat-in-memory/
  • file:///C:/Users/TouchMeNot/Desktop/Cascading%202018/February/so-ASOC-use-case-gh0st-rat.pdf

 

POINT OF CONTACT

            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.