PLAYFULGHOST is a new malware family with capabilities including keylogging, screen and audio capture, remote shell access, and file transfer/execution.
Google researchers analyzed a new malware family called PLAYFULGHOST that supports multiple features, including keylogging, screen and audio capture, remote shell, and file transfer/execution.
The PLAYFULGHOST backdoor shares functionality with Gh0st RAT whose source code was publicly released in 2008.
The backdoor is distributed through:
- Phishing emails with themes such as “code of conduct” to trick users into downloading the malware.
- Bundling the malicious code with popular applications, like LetsVPN, and distributed it through SEO poisoning.
In one case analyzed by the researchers, the attack chain begins by tricking the victim into opening a malicious RAR archive disguised as an image file by using a .jpg extension. Upon executing the archive, it drops a malicious Windows executable, which eventually downloads and executes the PLAYFULGHOST
payload from a remote server.
On the other end, SEO poisoning infections trick victims into downloading a trojanized installer for software like LetsVPN, which then downloads the backdoor components from a remote server.
PLAYFULGHOST uses DLL search order hijacking and side-loading to execute a malicious DLL, with Mandiant researchers observing a sophisticated scenario involving a Windows shortcut and renamed “curl.exe” to sideload the malware.
“Mandiant observed a second, more sophisticated execution scenario which begins with a Windows LNK file named “QQLaunch.lnk”. This LNK file combines a text file named “h” which contains the characters “MZ” and a second file “t” which contains the rest of PE payload to construct a new malicious DLL named “libcurl.dll”.” reads the report published by Google. “Then, the LNK file launches “QQLaunch.exe”, a legitimate binary from Tencent QQ, which launches another legitimate binary “TIM.exe” which is a renamed version of the program CURL. TIM.exe then loads a malicious launcher DLL “libcurl.dll” which will decrypt and load the PLAYFULGHOST payload from an encrypted file named “Debug.log”.”
Mandiant researchers observed the following additional malware families and utilities accompanied with PLAYFULGHOST:
| Malware / Utility | Description | Use Case |
| BOOSTWAVE | BOOSTWAVE is a shellcode that acts as in-memory dropper for an appended Portable Executable (PE) payload. | On one occasion, Mandiant observed a PLAYFULGHOST payload being embedded within BOOSTWAVE. |
| TERMINATOR | TERMINATOR is an open-source tool written in C++ that reproduces Spyboy technique to terminate all EDR/XDR/AVs processes by abusing the zam64.sys driver. | Mandiant observed the utility being deployed under the name 1.sys along with the download of PLAYFULGHOST components. |
| QAssist.sys | QAssist.sys is a rootkit embedded within PLAYFULGHOST capable of hiding registry, files, and processes specified by the threat actor. | While not observed being used, Mandiant assesses that the rootkit is intended to hide malicious activities on the system. |
| CHROMEUSERINFO.dll | CHROMEUSERINFO.dll is a DLL used by PLAYFULGHOST to retrieve Google Chrome user data including stored login credentials. | Mandiant observed an archive file containing CHROMEUSERINFO.dll along with other PLAYFULGHOST components. |
PLAYFULGHOST maintains persistence through methods like run registry keys, scheduled tasks, startup folder, and Windows services.
The backdoor can drop additional payloads, block input, clear event logs, wipe clipboard, delete browser data, and erase profiles for apps like Skype and Telegram.
Google researchers provided event rules within Google Security Operations to detect PLAYFULGHOST
activity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
