Gh0st and Pantegan RAT Malware Bypass Scanners & Attack Networks

Pantegana RAT, an open-source cross-platform botnet written in Golang, targets Windows, Linux, and macOS that uses HTTPS for C2 communication, executes commands directly, handles multiple sessions, transfers files, and fingerprints systems. 

Gh0st RAT, a well-known malware used in cyber espionage, has an adaptable source code dating back to the early 2000s. Its C2 infrastructure often responds with the packet flag “Gh0st,” identifying compromised systems. 

By sending a random byte sequence to a suspected C2 server, network defenders can potentially expose Gh0st RAT infections.

Pantegana RAT GitHub README

Volexity found threat actors using open-source malware like Gh0st and Pantegana to infiltrate compromised servers, while Hunt.io scans identified less than 10 servers infected by Gh0st, possibly due to the actors switching tactics or employing techniques like minor code modifications, altered network communication, and non-default TLS certificates. 

One Gh0st server was detected on port 6161 with a “kuaidiyouhui.asia” domain (meaning “courier discount” in Chinese). The server’s RDP service on port 3389 used a certificate naming convention similar to ShadowPad and LightSpy malware.  

Gh0st C2 Server

An investigation of Gh0st infrastructure revealed a suspicious IP address (62(.)234.90.4) hosting a self-signed RDP certificate with an unusual common name , which also resolves to three domains (zchyedu(.)com) and another IP (125.228.229.229). 

Further analysis by Hunt identified a self-signed AnyDesk Client certificate on port 7070 of the first IP, leading to the discovery of two more IPs (114.25.86.191 and 125.229.22.79) sharing the same certificate and located in Taiwan with the same hosting provider.  

Pivot on AnyDesk Certificate Results

Pantegana RAT servers use a specific X.509 certificate signature with a 10-year validity period and distinct features for simple identification. 

The certificate subject includes “localhost” as the common name, along with “Pantegana Inc.” located in the fictional “The Sewers,”  Hawaii. 

Similarly, the issuer fields mirror this information with “Pantegana Root CA,”  which can be used to pinpoint default Pantegana RAT servers during security investigations. 

 SSL History for Gh0st C2 also Hosting DcRAT

Two servers using certificates resembling the default Pantegana certificate, likely to bypass detection, are located at 43.130.237.18 (Asia Pacific Network Information Center) and 119.28.107.67 (Tencent Cloud Computing). 

While both IPs are flagged as clean in VirusTotal, they are hosting certificates spoofing a known malware family, and changes to the infrastructure warrant further investigation.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here