ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Gh0stnet

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Gh0stnet

NamesGh0stnet
Ghostnet
Remosh
CategoryMalware
TypeBackdoor, Info stealer, Exfiltration
Description(UCAM) Our next observation concerns the malware payloads used. These were packaged as either .doc or .pdf files that installed rootkits on the machines of monks who clicked on them. During our initial network monitoring exercise, we observed sensitive files being transferred out of the Office of His Holiness the Dalai Lama (OHHDL) using a modified HTTP protocol: the malware picked up files from local disks and sent them to three servers which, according to APNIC, were in China’s Sichuan province, using a custom protocol based on HTTP. The malware uses HTTP GET and HTTP POST messages to transfer files out and also appears to verify successful transmission. Sichuan, by the way, is the location of the Chinese intelligence unit specifically tasked with monitoring the OHHDL.
Information<https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf>
<https://securitynews.sonicwall.com/xmlpost/gh0stnet-now-spreads-as-a-fileless-malware-nov-022017/>
<https://www.nartv.org/2019/03/28/10-years-since-ghostnet/>
<http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

All groups using tool Gh0stnet

ChangedNameCountryObserved

APT groups

 GhostNet, Snooping DragonChina2009-2010X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key