Musical Chairs: Multi-Year Campaign relying on the Gh0st RAT

Pierluigi Paganini September 09, 2015

Security experts at Paloalto Networks have uncovered a multiyear espionage campaign dubbed Musical Chairs Involving New Variant of Gh0st RAT Malware.

The Gh0st RAT malware is a popular remote administration tool (RAT) created in China in the early 2000s that was used in a number of cyber espionage operations. Targeted espionage operations on Tibetan activists, including the Operation Night Dragon and the GhostNet attacks, relied on the Ghost RAT to compromise the victims’ machines.

The source code of the Gh0st RAT malware is available on the Internet for free, this means that bad actors can customize and use it.

The threat actor behind the Musical Chairs recently deployed a new variant Gh0st RAT malware dubbed by the expert the “Piano Gh0st.” The researchers at Paloalto speculate that the actors behind these campaigns have been operating for over five years and used a single command and control server for almost two.

“Our evidence suggests the actors behind these attacks have been operating for over five years and have maintained a single command and control server for almost two. They use compromised e-mail accounts to distribute their malware widely and their targeting appears opportunistic rather than specific.” states a report published by Paloalto.

The infrastructure used in Musical Chairs stands out due to its longevity, attackers used the same machine to host multiple Gh0st RAT C&C servers.

“At the center of the infrastructure for the last two years is a Windows 2003 server using the IP address  The server uses a US-based IP address, but displays a Chinese language interface for Remote Desktop connections.”

The researchers differentiate the different variants of the Gh0st RAT malware by analyzing their “magic tag”, which is a code sent by the malware to the C&C server to identify itself. The original version of Gh0st RAT was using “Gh0st” as magic tag.

musical chairs Gh0st RAT magic tag

The bad actors behind the Musical Chairs campaign spread the Gh0st RAT malware using phishing e-mails as the attack vector. The messages are sent from US-based residential ISP e-mail addresses, the threat actors compromised legitimate accounts and the malicious emails are sent indiscriminately to all addresses in the victims’ address book.

“The threat actors behind the attacks use a “shotgun” approach, blasting e-mails to as many recipients as possible in hopes of tricking a small percentage of targets into opening the attack. The attackers generally do not rely upon any vulnerability exploitation, and instead rely on the user to open the attached executable to compromise their system.” continues the report.

The attackers used the following filenames of attachments in the Musical Chairs campaign:

  • “Pleasantly Surprised.exe”
  • “Beautiful Girls.exe”
  • “Sexy Girls.exe”
  • “gift card.exe”
  • “amazon gift card.pdf.exe”

In July, Musical Chairs began deploying a the Piano Gh0st variant which used a new wrapper file to hide the Gh0st RAT malware.

The malicious components are served as a self-extracting executable (SFW) that operates as the dropper and extracts its payload to “c:\microsoft\lib\ke\Piano.dll” and executes the “mystart” function within the DLL’s export address table (EAT) using rundll32.exe.

The experts still have no information on the motivation of this campaign.

Enjoy the report!

Pierluigi Paganini

(Security Affairs – Musical Chairs campaign, encryption)

you might also like

leave a comment