Cybersecurity researchers have identified a new type of malware capable of executing files, capturing audio and screen activity, and connecting to a remote shell, enabling attackers to launch further assaults. Known as PLAYFULGHOST, this malware is infamous for distributing trojanized VPN software via phishing campaigns and SEO poisoning tactics.
The feature set of the PLAYFULGHOST virus allows it to acquire a wide variety of data. It can set up persistence on the host in four different ways: run registry key, scheduled task, Windows Startup folder, and Windows service. It can record everything from keystrokes and screenshots to audio, installed security goods, clipboard content, system metadata, QQ account information, and installed security products.
The malware can execute file operations, remove Windows event logs, erase clipboard data, drop more payloads, and destroy caches, web browser profiles, messaging app storage, and profiles.
Additionally, it has the ability to install Mimikatz, an open-source program that can retrieve passwords; a rootkit that can conceal the registry, files, and processes selected by the threat actor; and an additional open-source tool called Terminator, which can terminate security processes through a BYOVD (Bring Your Own Vulnerable Driver) attack.
In most cases, PLAYFULGHOST penetrates your system through phishing emails that pretend to be from reputable VPN providers like LetsVPN, but in reality, they are actually trying to trick you into downloading a malicious version of their app.
One victim was duped into opening a malicious RAR package masquerading as an image file with a.jpg extension, which subsequently dropped a malicious Windows executable. Afterward, PLAYFULGHOST was downloaded and run from a distant server. The backdoor is functionally similar to Gh0st RAT, whose source code was publicly disclosed in 2008, according to Google’s Managed Defence team.
When an SEO poisoning attack succeeds, it may trick victims into downloading malware that includes LetsVPN installations. Once installed, the malware will drop an interim payload that retrieves the backdoor components.
By using techniques like side loading and DLL search order hijacking, a virus with PLAYFULGHOST is able to decode and load the program into memory. It has also been observed to use renamed versions of Windows shortcuts that combine many files to create a malicious DLL.
Here are a few tips to stay safe from this malware:
Samsung is currently setting up for its much-anticipated Galaxy Unpacked launch event later this month,…
KARACHI: The Sindh government has initiated a comprehensive crackdown on the misuse of official vehicles,…
Several Indian government websites are still permitting scam links to be planted on their official…
Islamabad: The federal government is planning to engage a consultant to finalize the regulations for…
Tuesday saw the announcement of a cash-and-stock merger between Getty Images and rival Shutterstock. According…
OnePlus has unveiled its latest flagship devices, the OnePlus 13 and OnePlus 13R. While they…