Pantegana RAT, an open-source cross-platform botnet written in Golang, targets Windows, Linux, and macOS that uses HTTPS for C2 communication, executes commands directly, handles multiple sessions, transfers files, and fingerprints systems.
Gh0st RAT, a well-known malware used in cyber espionage, has an adaptable source code dating back to the early 2000s. Its C2 infrastructure often responds with the packet flag “Gh0st,” identifying compromised systems.
By sending a random byte sequence to a suspected C2 server, network defenders can potentially expose Gh0st RAT infections.
Volexity found threat actors using open-source malware like Gh0st and Pantegana to infiltrate compromised servers, while Hunt.io scans identified less than 10 servers infected by Gh0st, possibly due to the actors switching tactics or employing techniques like minor code modifications, altered network communication, and non-default TLS certificates.
One Gh0st server was detected on port 6161 with a “kuaidiyouhui.asia” domain (meaning “courier discount” in Chinese). The server’s RDP service on port 3389 used a certificate naming convention similar to ShadowPad and LightSpy malware.
An investigation of Gh0st infrastructure revealed a suspicious IP address (62(.)234.90.4) hosting a self-signed RDP certificate with an unusual common name , which also resolves to three domains (zchyedu(.)com) and another IP (125.228.229.229).
Further analysis by Hunt identified a self-signed AnyDesk Client certificate on port 7070 of the first IP, leading to the discovery of two more IPs (114.25.86.191 and 125.229.22.79) sharing the same certificate and located in Taiwan with the same hosting provider.
Pantegana RAT servers use a specific X.509 certificate signature with a 10-year validity period and distinct features for simple identification.
The certificate subject includes “localhost” as the common name, along with “Pantegana Inc.” located in the fictional “The Sewers,” Hawaii.
Similarly, the issuer fields mirror this information with “Pantegana Root CA,” which can be used to pinpoint default Pantegana RAT servers during security investigations.
Two servers using certificates resembling the default Pantegana certificate, likely to bypass detection, are located at 43.130.237.18 (Asia Pacific Network Information Center) and 119.28.107.67 (Tencent Cloud Computing).
While both IPs are flagged as clean in VirusTotal, they are hosting certificates spoofing a known malware family, and changes to the infrastructure warrant further investigation.
Also Read: