Ddos 
Flowchart | Image: ASEC
In a revealing analysis, the AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated, ongoing malware campaign targeting Korean Internet cafés using a combination of Gh0st RAT, CoinMiner malware, and custom patchers. The attacks, believed to have started in the second half of 2024, are attributed to a threat actor active since at least 2022.
The threat actor’s objective is to hijack system resources for cryptocurrency mining, using a multi-stage infection chain:
- Initial Access: Though the exact method remains unknown, systems with Internet café management programs are disproportionately affected.
- Malware Deployment: The attackers install Gh0st RAT or its droppers, sometimes even embedding it into the memory space of trusted management software.
- Persistence and Control: Gh0st RAT is used to maintain long-term control, exfiltrate data, and deploy additional payloads.
- Final Payload: Ultimately, a T-Rex CoinMiner or PhoenixMiner is dropped to mine GPU-heavy coins like Ethereum or Ravencoin.
“The malware used in the attacks mostly consist of Gh0st RAT and its associated droppers, with the ultimate payload being the T-Rex CoinMiner,” the analysis explains.
Gh0st RAT, originally developed by the Chinese “C. Rufus Security Team,” continues to haunt unprotected systems. Despite its age, the open-source nature of the tool makes it a frequent weapon of choice for cybercriminals.
“The majority of malware used in the attacks are Gh0st RAT and its dropper,” ASEC confirms. “The type used in this attack includes not only the basic remote control features such as file and process control, but also keylogging and screen capturing.”
A standout feature in this campaign is a change in communication patterns—rather than the usual “Gh0st” tag, the threat actor uses the “Level” signature when communicating with command-and-control servers.
To avoid detection and enhance persistence, the attackers deployed Patcher malware that scans memory for specific program signatures, then modifies it.
“Among the malware strains… some are responsible for patching the memory of programs installed on counter PCs,” ASEC explains.
These malicious edits disguise the presence of Gh0st RAT and enable it to be executed even from client systems, as discovered in rare cases.
Interestingly, the campaign also includes a KillProc module—malware designed to terminate rival miners and system processes that might interfere with the attacker’s operations.
“There are malware that terminate CoinMiners among the currently running processes… as well as unknown processes,” the report details.
Examples include:
- phoenixminer.exe
- mine.exe
- geekminer.exe
- notice.exe
- cmd.exe
- scvhost.exe
ASEC urges administrators to take the following steps:
- Update all operating systems and café management software.
- Install and maintain the latest version of antivirus products.
- Audit systems for suspicious binaries or processes using known IoC filenames like cmd.exe, mtn.exe, syn.exe, or gh0st.dll.
“Administrators must refer to the main file names in the IoC section to check for infection status and respond promptly,” ASEC advises.
Related Posts:
- Stealthy Crypto-Mining Malware Hijacking PCs via USB Drives
- Advanced Cyber Espionage: SugarGh0st RAT Attacks Uzbek and South Korean Entities
- Report: North Korean Lazarus Group move to new dimension
- PLAYFULGHOST Malware: A Sophisticated Gh0st RAT Variant with Advanced Distribution Tactics
- Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
Donate