ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Ghambar

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Ghambar

NamesGhambar
CategoryMalware
TypeBackdoor, Info stealer, Credential stealer
DescriptionCurrently, we identify this malware family as “Ghambar,” due to the word being used in some function names and variables inside the same malware’s code; also subsequent samples expose potentially personally identifiable information and alternative names. While Ghambar does not seem to share any significant codebase with past tools, we believe that Ghambar might be the successor of TinyZBot, which is one of the artifacts described by Cylance in the Operation Cleaver report. Similar to TinyZBot, Ghambar is also developed in C# and it employs the same SOAP­based command and control protocol. While it is provided with fewer features, Ghambar appears better designed and with a cleaner code style.

Interestingly, Ghambar is designed to leave as little footprint on the system as possible. When collecting screenshots, clipboard data, and intercepted keystrokes, it attempts to directly send the data to the C&C without writing on disk.

While executing a parallel keylogger, Ghambar is also able to receive instructions from the C&C on additional tasks to execute. These tasks can be additional plugins to be downloaded and executed, generic tasks on the file system, or a number of predefined commands.

Ghambar is provided with a full­featured plugins system. If instructed to do so by the C&C, the malware is able to download, store, and execute any given plugin.

Other than generally creating, deleting and fetching files, Ghambar is also able to executed a number of predefined commands if instructed to do so by the C&C. The commands, identified by a command­type identifier, include the following:
• Self­destruct;
• Execute a command through 'cmd.exe' and return output;
• Take a screenshot;
• Shutdown the computer;
• Restart the computer;
• Logoff the user;
• Lock the computer;
• Turn on and off the monitor;
• Set and copy clipboard data;
• Enable or disable mouse/keyboard (although these procedures are not yet implemented);
• “Enable or disable desktop” (not implemented);
• Trigger a BSOD (also, not implemented).

While the sample we obtained might be an earlier stage still under development, Ghambar is alreadyprovided with enough features to make it a fully­functional backdoor.
Information<https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf>

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

Previous: Gh0st RAT
Next: Ghole

All groups using tool Ghambar

ChangedNameCountryObserved

APT groups

XMagic Hound, APT 35, Cobalt Gypsy, Charming KittenIran2013-Dec 2020 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key