Gh0st RAT, the primary weapon for hijacking internet cafés

Hackers are using the notorious Gh0st RAT to seize control of internet café systems. They deploy the T-Rex CoinMiner to mine cryptocurrencies such as Ethereum and RavenCoin.

This campaign specifically focuses on systems running Korean Internet café management programs, which are integral for tracking customer usage and calculating fees.

Although the exact method of initial access remains under investigation, the scale and precision of these attacks suggest that the threat actors have a deep understanding of the targeted software. Due to the malware’s origins with a known hacking team, the threat actors are believed to be linked to Chinese-speaking groups.

The attackers deploy a multi-layered malware arsenal, starting with the RAT and its droppers, often packed with tools like MPRESS or Themida for obfuscation.

 

Ghost RAT provides its operators with remote control capabilities.

 

Once installed, Gh0st RAT registers as a system service, enabling remote control features, including file and process manipulation, keylogging, and screen capturing.

Communication with C2 servers uses a signature string “Level” instead of the typical “Gh0st,” showcasing a customised variant.

Beyond remote access, the hackers also use additional payloads like Patcher malware to manipulate the memory of management software processes, ensuring persistence through strategic file placements disguised as legitimate system files like “cmd.exe.”

Furthermore, downloaders facilitate the delivery of further malicious components, including the GPU-focused T-Rex CoinMiner, chosen for its efficiency on high-performance gaming PCs common in Internet cafés.

Paths such as “%ProgramFiles% (x86)\Windows NT\mmc.exe” are exploited for installation, with file names frequently modified to bypass updates from software providers.

Notably, some malware strains like KillProc are designed to terminate competing miners or security processes, further securing the attackers’ foothold.

This sophisticated orchestration highlights a primary motive of cryptocurrency mining, augmented by the occasional use of tools like PhoenixMiner. The implications of these attacks are severe for Internet café operators, who must now prioritise system security.

Hence, South Korean cafés should monitor and keep their operating systems and management software updated to patch vulnerabilities and ensure that security products are current to detect and block malware.

Admins should be wary of specific IoCs researchers provide, including file hashes, URLs, and IP addresses associated with these attacks, to identify and mitigate infections swiftly.