Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Published on
Published on
Published on
Jun 12, 2024
Jun 12, 2024
Jun 12, 2024
Introduction
Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable appearances in network intrusions. Gh0st RAT, with its numerous variants, has been a consistent tool in the pocket of threat actors for many years. Pantegana, a relatively new entrant, has also been used in high-profile attacks.
Today, we’ll briefly examine the history of both malware families, exploring how they’re detected and leveraged by threat actors to attack networks. Given that neither family (the old-school Gh0st in this case) has seen much limelight recently, our post will check up on the infrastructure of both families identified by our scanners.
Finally, our analysis will examine customized Pantegana certificates, likely used to evade researchers and network scanners.
Brief Overview of Capabilities
- Pantegana RAT is an open-source, cross-platform botnet written in Golang targeting Windows, Linux, and macOS. The malware uses HTTPS for communications with the C2, supports direct command execution, handles multiple sessions, and facilitates file transfers and system fingerprinting.
The GitHub page for Pantegana can be found here.
- Gh0st RAT is a well-known malware extensively used in cyber espionage. Its source code dates back to the early 2000s and is available on select Chinese-speaking underground forums. Its adaptability and many spin-off versions make it a persistent threat to this day.
If you're familiar with Gh0st, you likely know one of the characteristics of its C2 infrastructure is its response packet flag.
That default flag, believed to be exclusive to the RATs C2 servers, is simply ‘Gh0st’. While this flag has many variations, seeing the malware’s name in response remains a consistent identifier when paired with additional information like server location, hosting provider, etc.
We already showed methods for hunting malicious infrastructure, including Gh0st RAT. We highlighted that sending almost a random sequence of bytes (we used the string “asdasd” repeated 10 times) will result in the expected response.
How Threat Actors Deploy the RATs
-
Cofense reported a phishing campaign disguised as an invoice dropping Gh0st RAT targeting a healthcare organization in mid-2023.
-
In June 2022, Volexity identified the threat actor DriftingCloud installing a handful of open-source malware to a compromised server, one of them being Pantegana. Interestingly, the threat actor in this report used customized TLS certificates similar to what we’ll cover below.
Gh0st Observations
While our scans have identified fewer than 10 servers for each malware family, this suggests threat actors have likely moved on to other open-source and even some private frameworks to conduct attacks. Another reason for the limited detections could be minor changes in source code, network communications with the controller, and moving away from default TLS certificates.
Noteworthy C2s will be explained in more detail below.
Analyze any of the 80+ malware and offensive security tools we are tracking here: https://app.hunt.io/active-c2s.
47.120.59.37 (Aliyun Computing Co., LTD)
Our scanners encountered the Gh0st packet flag on port 6161 of the IP in Figure 3 above. Additionally, this infrastructure is associated with a domain, www.kuaidiyouhui.asia. “kuaidiyouhui” in Chinese translates to “courier or delivery discount” in English.
Lastly, the issuer and subject common name for the RDP service on port 3389 follows a naming convention we’ve previously covered for ShadowPad infrastructure and LightSpy infrastructure.
This time, the certificate is named “iZ80ugaqg8izq3Z”. The hashes for all certificates can be found in the Indicators section at the end of this post.
62.234.90.4 (Tencent Cloud Computing (Beijing) Co., Ltd)
The IP 62.234.90.4 hosts a self-signed RDP certificate with a common name formatted as a private IP address “10_0_16_7” using underscores instead of periods.
Figure 4 shows three suspicious domains currently resolving to this IP:
- zchyedu.com
- www.zchyedu.com
- img.zchyedu.com
125.228.229.229 (Chunghwa Telecom Co., Ltd.)
What caught our attention for the above IP address was a self-signed certificate on port 7070, with the common name of “AnyDesk Client.” More interestingly, pivoting on this IOC, we find that just 2 additional IP addresses share this certificate across the internet.
Those IPs are:
- 114.25.86.191
- 125.229.22.79.
All three servers are located in Taiwan and use the same hosting provider/ASN.
154.12.93.14 (Cogent Communications)
The final Gh0st IP we’ll examine was found to be hosting an X.509 certificate consistent with DcRAT (https://github.com/qwqdanchun/DcRat) servers.
Pantegana Observations
The Pantegana RAT uses a distinctive default certificate for its servers good for 10 years. Below are the details:
Subject Fields:
- Common Name (CN): localhost
- Country: US
- Organization: Pantegana Inc.
- City: The Sewers
- State: Hawaii
Issuer Fields:
- Common Name (CN): Pantegana Root CA
- Country: US
- Organization: Pantegana Inc.
- City: The Sewers
- State: Hawaii
These certificate details can help identify standard Pantegana RAT servers during infrastructure analysis.
154.92.19.225 (Guangzhou Yisu Cloud Limited)
Before we discuss the customized certificates that caught our attention during research, the IP in Figure 8 also hosted a Cobalt Strike Team Server while concurrently controlling Pantegana agents.
Our research identified **two **servers using certificates that closely resemble the default Pantegana certificate, with a few notable differences. The details are as follows:
Subject Fields:
- Common Name (CN): localhost
- Country: US
- Organization: Pant, Inc.
- City: The Sewers
- State: Hamai
Issuer Fields:
- Common Name (CN): Pant Root CA
- Country: US
- Organization: Pant, Inc.
- City: The Sewers
- State: Hamai
These subtle changes in the organization name and state spelling are likely designed to bypass scanners and researchers who only search for the default Pantegana certificate and then move on.
The two suspicious IP addresses are:
- 43.130.237.18 -> Asia Pacific Network Information Center, Pty. Ltd.
- 119.28.107.67 -> Tencent Cloud Computing (Beijing) Co., Ltd.
It should be noted that both of the above IPs are detected as clean in VirusTotal. However, this score should never be used as a concrete metric. At best, the servers are hosting certificates spoofing a well-known malware family, and changes made to the infrastructure will require tracking in addition to known Pantegana servers.
Stay Ahead of Adversary Infrastructure With Hunt
This blog post explored the intricacies of two prominent Remote Access Trojans (RATs) — Gh0st and Pantegana. We traced the historical development of these malware families, examined their deployment in recent cyberattacks, and analyzed the infrastructure supporting their operations. Our investigation revealed subtle yet significant modifications in certificates similar to Pantegana, highlighting the need for defenders and researchers not to rely on defaults for detection.
Join us at Hunt to stay ahead of emerging cyber threats. Our advanced tools and expert analyses will empower you to detect, understand, and mitigate sophisticated adversary infrastructure.
IPs/Hashes
IP Address | Notes/Hashes |
---|---|
47.120.59_37 | Gh0st C2 - RDP Cert: D0A66FAFCC28FE8C1AEECFFCB56EFC76196AAC53CF64D438A172B5C0AF2EA6B4 |
60.204.235_186 | Gh0st C2 |
62.234.90_4 | Gh0st C2 - Private IP Cert: 81348A5F80957E3F584A216ECD636886BDA2F89FBC4B0E5A0F6CDABE815CB5E6 |
125.228.229_229 | Gh0st C2 - AnyDesk Cert: 6CDB3B8125F0975BB1299D88EB650CF6ED12CA31F21A65D15758C957C7B9F18A |
154.92.19_225 | Pantegana C2 - Fingerprint: efbfbd6befbfbd4900efbfbddfb8efbfbd2aefbfbd6fefbfbd6913efbfbd717c341152efbfbd7aefbfbd1727efbfbd |
198.98.62_227 | Pantegana C2 |
209.141.41_176 | Pantegana C2 |
209.141.46_83 | Pantegana C2 |
43.130.237_18 | Customized certificate similar to Pantegana - Fingerprint: 683c52efbfbd22efbfbd6658efbfbd121a317461efbfbd124c590f723d41412aefbfbd |
119.28.107_67 | Customized certificate similar to Pantegana - Fingerprint: 5b7c750d72efbfbd4cefbfbd7befbfbd50462d34efbfbd563a4a7befbfbd51efbfbd77efbfbd6511 |
Introduction
Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable appearances in network intrusions. Gh0st RAT, with its numerous variants, has been a consistent tool in the pocket of threat actors for many years. Pantegana, a relatively new entrant, has also been used in high-profile attacks.
Today, we’ll briefly examine the history of both malware families, exploring how they’re detected and leveraged by threat actors to attack networks. Given that neither family (the old-school Gh0st in this case) has seen much limelight recently, our post will check up on the infrastructure of both families identified by our scanners.
Finally, our analysis will examine customized Pantegana certificates, likely used to evade researchers and network scanners.
Brief Overview of Capabilities
- Pantegana RAT is an open-source, cross-platform botnet written in Golang targeting Windows, Linux, and macOS. The malware uses HTTPS for communications with the C2, supports direct command execution, handles multiple sessions, and facilitates file transfers and system fingerprinting.
The GitHub page for Pantegana can be found here.
- Gh0st RAT is a well-known malware extensively used in cyber espionage. Its source code dates back to the early 2000s and is available on select Chinese-speaking underground forums. Its adaptability and many spin-off versions make it a persistent threat to this day.
If you're familiar with Gh0st, you likely know one of the characteristics of its C2 infrastructure is its response packet flag.
That default flag, believed to be exclusive to the RATs C2 servers, is simply ‘Gh0st’. While this flag has many variations, seeing the malware’s name in response remains a consistent identifier when paired with additional information like server location, hosting provider, etc.
We already showed methods for hunting malicious infrastructure, including Gh0st RAT. We highlighted that sending almost a random sequence of bytes (we used the string “asdasd” repeated 10 times) will result in the expected response.
How Threat Actors Deploy the RATs
-
Cofense reported a phishing campaign disguised as an invoice dropping Gh0st RAT targeting a healthcare organization in mid-2023.
-
In June 2022, Volexity identified the threat actor DriftingCloud installing a handful of open-source malware to a compromised server, one of them being Pantegana. Interestingly, the threat actor in this report used customized TLS certificates similar to what we’ll cover below.
Gh0st Observations
While our scans have identified fewer than 10 servers for each malware family, this suggests threat actors have likely moved on to other open-source and even some private frameworks to conduct attacks. Another reason for the limited detections could be minor changes in source code, network communications with the controller, and moving away from default TLS certificates.
Noteworthy C2s will be explained in more detail below.
Analyze any of the 80+ malware and offensive security tools we are tracking here: https://app.hunt.io/active-c2s.
47.120.59.37 (Aliyun Computing Co., LTD)
Our scanners encountered the Gh0st packet flag on port 6161 of the IP in Figure 3 above. Additionally, this infrastructure is associated with a domain, www.kuaidiyouhui.asia. “kuaidiyouhui” in Chinese translates to “courier or delivery discount” in English.
Lastly, the issuer and subject common name for the RDP service on port 3389 follows a naming convention we’ve previously covered for ShadowPad infrastructure and LightSpy infrastructure.
This time, the certificate is named “iZ80ugaqg8izq3Z”. The hashes for all certificates can be found in the Indicators section at the end of this post.
62.234.90.4 (Tencent Cloud Computing (Beijing) Co., Ltd)
The IP 62.234.90.4 hosts a self-signed RDP certificate with a common name formatted as a private IP address “10_0_16_7” using underscores instead of periods.
Figure 4 shows three suspicious domains currently resolving to this IP:
- zchyedu.com
- www.zchyedu.com
- img.zchyedu.com
125.228.229.229 (Chunghwa Telecom Co., Ltd.)
What caught our attention for the above IP address was a self-signed certificate on port 7070, with the common name of “AnyDesk Client.” More interestingly, pivoting on this IOC, we find that just 2 additional IP addresses share this certificate across the internet.
Those IPs are:
- 114.25.86.191
- 125.229.22.79.
All three servers are located in Taiwan and use the same hosting provider/ASN.
154.12.93.14 (Cogent Communications)
The final Gh0st IP we’ll examine was found to be hosting an X.509 certificate consistent with DcRAT (https://github.com/qwqdanchun/DcRat) servers.
Pantegana Observations
The Pantegana RAT uses a distinctive default certificate for its servers good for 10 years. Below are the details:
Subject Fields:
- Common Name (CN): localhost
- Country: US
- Organization: Pantegana Inc.
- City: The Sewers
- State: Hawaii
Issuer Fields:
- Common Name (CN): Pantegana Root CA
- Country: US
- Organization: Pantegana Inc.
- City: The Sewers
- State: Hawaii
These certificate details can help identify standard Pantegana RAT servers during infrastructure analysis.
154.92.19.225 (Guangzhou Yisu Cloud Limited)
Before we discuss the customized certificates that caught our attention during research, the IP in Figure 8 also hosted a Cobalt Strike Team Server while concurrently controlling Pantegana agents.
Our research identified **two **servers using certificates that closely resemble the default Pantegana certificate, with a few notable differences. The details are as follows:
Subject Fields:
- Common Name (CN): localhost
- Country: US
- Organization: Pant, Inc.
- City: The Sewers
- State: Hamai
Issuer Fields:
- Common Name (CN): Pant Root CA
- Country: US
- Organization: Pant, Inc.
- City: The Sewers
- State: Hamai
These subtle changes in the organization name and state spelling are likely designed to bypass scanners and researchers who only search for the default Pantegana certificate and then move on.
The two suspicious IP addresses are:
- 43.130.237.18 -> Asia Pacific Network Information Center, Pty. Ltd.
- 119.28.107.67 -> Tencent Cloud Computing (Beijing) Co., Ltd.
It should be noted that both of the above IPs are detected as clean in VirusTotal. However, this score should never be used as a concrete metric. At best, the servers are hosting certificates spoofing a well-known malware family, and changes made to the infrastructure will require tracking in addition to known Pantegana servers.
Stay Ahead of Adversary Infrastructure With Hunt
This blog post explored the intricacies of two prominent Remote Access Trojans (RATs) — Gh0st and Pantegana. We traced the historical development of these malware families, examined their deployment in recent cyberattacks, and analyzed the infrastructure supporting their operations. Our investigation revealed subtle yet significant modifications in certificates similar to Pantegana, highlighting the need for defenders and researchers not to rely on defaults for detection.
Join us at Hunt to stay ahead of emerging cyber threats. Our advanced tools and expert analyses will empower you to detect, understand, and mitigate sophisticated adversary infrastructure.
IPs/Hashes
IP Address | Notes/Hashes |
---|---|
47.120.59_37 | Gh0st C2 - RDP Cert: D0A66FAFCC28FE8C1AEECFFCB56EFC76196AAC53CF64D438A172B5C0AF2EA6B4 |
60.204.235_186 | Gh0st C2 |
62.234.90_4 | Gh0st C2 - Private IP Cert: 81348A5F80957E3F584A216ECD636886BDA2F89FBC4B0E5A0F6CDABE815CB5E6 |
125.228.229_229 | Gh0st C2 - AnyDesk Cert: 6CDB3B8125F0975BB1299D88EB650CF6ED12CA31F21A65D15758C957C7B9F18A |
154.92.19_225 | Pantegana C2 - Fingerprint: efbfbd6befbfbd4900efbfbddfb8efbfbd2aefbfbd6fefbfbd6913efbfbd717c341152efbfbd7aefbfbd1727efbfbd |
198.98.62_227 | Pantegana C2 |
209.141.41_176 | Pantegana C2 |
209.141.46_83 | Pantegana C2 |
43.130.237_18 | Customized certificate similar to Pantegana - Fingerprint: 683c52efbfbd22efbfbd6658efbfbd121a317461efbfbd124c590f723d41412aefbfbd |
119.28.107_67 | Customized certificate similar to Pantegana - Fingerprint: 5b7c750d72efbfbd4cefbfbd7befbfbd50462d34efbfbd563a4a7befbfbd51efbfbd77efbfbd6511 |
Related Posts:
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.