Cyber security

Ghost – Unmasking The Intricacies Of A Remote Access Trojan

Ghost is a light RAT that gives the server/attacker full remote access to the user’s command-line interpreter (cmd.exe). They are allowed to execute commands silently without the client/zombie noticing.

The server/attacker is also given the ability to download and execute files on the client/zombie’s computer. This is also a silent and hidden process.

Like most Remote Access Trojans, this download and execution ability helps distribute viruses and other pieces of malware.

This malware is distributed simply by running zombie.exe. This file name can be changed to whatever. There is no restriction.

When run, it searches for the first two arguments (IP & Port). If neither is provided, the program doesn’t run. With that being said, make sure you provide the server’s IP and Port in the command-line arguments. Example:

zombie.exe 127.0.0.1 27015

Bot Features

  • Remote command execution
  • Silent background process
  • Download and run file (Hidden)
  • Safe Mode startup
  • Will automatically connect to the server
  • Data sent and received is encrypted (substitution cipher)
  • Files are hidden
  • Installed Antivirus shown to server
  • Easily spread malware through download feature
  • Startup info doesn’t show in msconfig or other startup checking programs like CCleaner
  • Disable Task Manager

When successfully started, it adds itself to the start-up pool and runs silently in the background. It will try to repeatedly connect to the server.

This process does not hog any memory or CPU usage. This means that the zombie will silently just idle in the background and whenever the server is up, it will automatically connect.

When starting the server, it will prompt for you a listening port. This is the port that you need to use in the command-line for zombie.exe.

Once you provide the port, your server information will be provided and the menu will be down. The IP address provided is your external IP.

With that being said, unless the client/zombie is actively looking and tracking open connections, it will probably be smart to run this server under a remote location if you want to stay anonymous.

If this does not interest you, simply renaming zombie.exe and/or changing the assembly information using a tool will likely fool the client/zombie.

Note: This project was only made for education purposes and to test out my recently published repositories (ahxrlogger & ahxrsocket). If you choose to use this for malicious reasons, you are completely responsible for the outcome.

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

11 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

11 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago