PLAYFULGHOST is a malicious backdoor derived from the publicly released Gh0st RAT, which employs unique traffic patterns and encryption to evade detection and supports various malicious functions, including keylogging, screen capturing, audio recording, remote shell access, and file manipulation.
In order to spread PLAYFULGHOST, deceptive methods such as phishing emails and SEO poisoning are carried out.
Phishing emails lure victims into downloading the malware under false pretenses, while SEO poisoning manipulates search engine results to promote bundled applications containing the malware.
Two primary delivery methods are observed for the PLAYFULGHOST malware, where in the first (phishing), attackers deceive victims into opening a malicious RAR archive disguised as an image file (.jpg), which releases a malicious executable that subsequently downloads and executes PLAYFULGHOST from a remote server.
The second method (SEO poisoning) involves tricking victims into downloading a trojanized installer for legitimate software (e.g., LetsVPN), which drops another malicious executable that downloads PLAYFULGHOST components from a remote server.
Two distinct scenarios involving PLAYFULGHOST malware, as in both cases, a legitimate executable was compromised, where scenario 1 utilized a renamed Tencent binary (“svchost.exe”) and the “QiDianBrowserMgr.dll” as the malicious DLL.
Scenario 2 employed a renamed “curl.exe” (“TIM.exe”) with “libcurl.dll” as the malicious DLL. In both instances, these legitimate executables were manipulated to load the malicious DLLs and then proceeded to decrypt and load the PLAYFULGHOST payload (respectively, “3.TXT” and “Debug.log”) into memory, enabling the malware to execute its malicious functions.
Mandiant observed several malicious actors deploying PLAYFULGHOST alongside other tools as BOOSTWAVE, a shellcode dropper, delivered PLAYFULGHOST payloads.
TERMINATOR, an open-source tool, was used to terminate security products by abusing the zam64.sys driver. The QAssist.sys rootkit, embedded within PLAYFULGHOST, aimed to conceal malicious activities by hiding registry entries, files, and processes.
An exploit was carried out using CHROMEUSERINFO.dll in order to steal sensitive data from Google Chrome, including login credentials.
PLAYFULGHOST is a malicious program that establishes a persistent presence on infected systems through methods like registry keys, scheduled tasks, and startup entries by granting remote attackers extensive control, encompassing keylogging, screenshot capture, audio recording, file manipulation, and remote shell access.
It can collect sensitive data, disable security software, and perform actions like privilege escalation and anti-forensic techniques. It also exhibits nuisance behaviors such as altering system settings, interfering with user input, and making disruptive sounds.
.webp?w=1200&resize=1200,0&ssl=1 "LegionLoader Hijacks Chrome Extensions to Spread Infostealer Malware")
