Gh0st and Pantegana: Two RATs that Refuse to Fade Away

Gh0st and Pantegana: Two RATs that Refuse to Fade Away

Published on

Published on

Published on

Jun 12, 2024

Jun 12, 2024

Jun 12, 2024

Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Gh0st and Pantegana: Two RATs that Refuse to Fade Away
TABLE OF CONTENTS

Introduction

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable appearances in network intrusions. Gh0st RAT, with its numerous variants, has been a consistent tool in the pocket of threat actors for many years. Pantegana, a relatively new entrant, has also been used in high-profile attacks.

Today, we’ll briefly examine the history of both malware families, exploring how they’re detected and leveraged by threat actors to attack networks. Given that neither family (the old-school Gh0st in this case) has seen much limelight recently, our post will check up on the infrastructure of both families identified by our scanners.

Finally, our analysis will examine customized Pantegana certificates, likely used to evade researchers and network scanners.

Brief Overview of Capabilities

  • Pantegana RAT is an open-source, cross-platform botnet written in Golang targeting Windows, Linux, and macOS. The malware uses HTTPS for communications with the C2, supports direct command execution, handles multiple sessions, and facilitates file transfers and system fingerprinting.
    The GitHub page for Pantegana can be found here.
https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_1.webp
Figure 1: Pantegana RAT GitHub README
  • Gh0st RAT is a well-known malware extensively used in cyber espionage. Its source code dates back to the early 2000s and is available on select Chinese-speaking underground forums. Its adaptability and many spin-off versions make it a persistent threat to this day.

If you're familiar with Gh0st, you likely know one of the characteristics of its C2 infrastructure is its response packet flag.

That default flag, believed to be exclusive to the RATs C2 servers, is simply ‘Gh0st’. While this flag has many variations, seeing the malware’s name in response remains a consistent identifier when paired with additional information like server location, hosting provider, etc.

We already showed methods for hunting malicious infrastructure, including Gh0st RAT. We highlighted that sending almost a random sequence of bytes (we used the string “asdasd” repeated 10 times) will result in the expected response.

How Threat Actors Deploy the RATs

  • Cofense reported a phishing campaign disguised as an invoice dropping Gh0st RAT targeting a healthcare organization in mid-2023.

  • In June 2022, Volexity identified the threat actor DriftingCloud installing a handful of open-source malware to a compromised server, one of them being Pantegana. Interestingly, the threat actor in this report used customized TLS certificates similar to what we’ll cover below.

Gh0st Observations

While our scans have identified fewer than 10 servers for each malware family, this suggests threat actors have likely moved on to other open-source and even some private frameworks to conduct attacks. Another reason for the limited detections could be minor changes in source code, network communications with the controller, and moving away from default TLS certificates.

Noteworthy C2s will be explained in more detail below.

Analyze any of the 80+ malware and offensive security tools we are tracking here: https://app.hunt.io/active-c2s.

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_2.webp
Figure 2: Gh0st Server Detections in Hunt

47.120.59.37 (Aliyun Computing Co., LTD)

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_3.webp
Figure 3: Gh0st C2 Server

Our scanners encountered the Gh0st packet flag on port 6161 of the IP in Figure 3 above. Additionally, this infrastructure is associated with a domain, www.kuaidiyouhui.asia. “kuaidiyouhui” in Chinese translates to “courier or delivery discount” in English.

Lastly, the issuer and subject common name for the RDP service on port 3389 follows a naming convention we’ve previously covered for ShadowPad infrastructure and LightSpy infrastructure.

This time, the certificate is named “iZ80ugaqg8izq3Z”. The hashes for all certificates can be found in the Indicators section at the end of this post.

62.234.90.4 (Tencent Cloud Computing (Beijing) Co., Ltd)

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_4.webp
Figure 4: Suspicious Domain Names on Gh0st Infrastructure

The IP 62.234.90.4 hosts a self-signed RDP certificate with a common name formatted as a private IP address “10_0_16_7” using underscores instead of periods.

Figure 4 shows three suspicious domains currently resolving to this IP:

125.228.229.229 (Chunghwa Telecom Co., Ltd.)

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_5.webp
Figure 5: Self-signed AnyDesk Client certificate

What caught our attention for the above IP address was a self-signed certificate on port 7070, with the common name of “AnyDesk Client.” More interestingly, pivoting on this IOC, we find that just 2 additional IP addresses share this certificate across the internet.

Those IPs are:

  • 114.25.86.191
  • 125.229.22.79.

All three servers are located in Taiwan and use the same hosting provider/ASN.

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_6.webp
Figure 6: Pivot on AnyDesk Certificate Results

154.12.93.14 (Cogent Communications)

The final Gh0st IP we’ll examine was found to be hosting an X.509 certificate consistent with DcRAT (https://github.com/qwqdanchun/DcRat) servers.

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_7.webp
Figure 7: SSL History for Gh0st C2 also Hosting DcRAT

Pantegana Observations

The Pantegana RAT uses a distinctive default certificate for its servers good for 10 years. Below are the details:

Subject Fields:

  • Common Name (CN): localhost
  • Country: US
  • Organization: Pantegana Inc.
  • City: The Sewers
  • State: Hawaii

   

Issuer Fields:

  • Common Name (CN): Pantegana Root CA
  • Country: US
  • Organization: Pantegana Inc.
  • City: The Sewers
  • State: Hawaii

These certificate details can help identify standard Pantegana RAT servers during infrastructure analysis.

154.92.19.225 (Guangzhou Yisu Cloud Limited)

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_8.webp
Figure 8: Cobalt Strike and Pantegana RAT Detections

Before we discuss the customized certificates that caught our attention during research, the IP in Figure 8 also hosted a Cobalt Strike Team Server while concurrently controlling Pantegana agents.

Our research identified **two **servers using certificates that closely resemble the default Pantegana certificate, with a few notable differences. The details are as follows:

Subject Fields:

  • Common Name (CN): localhost
  • Country: US
  • Organization: Pant, Inc.
  • City: The Sewers
  • State: Hamai

   

Issuer Fields:

  • Common Name (CN): Pant Root CA
  • Country: US
  • Organization: Pant, Inc.
  • City: The Sewers
  • State: Hamai

These subtle changes in the organization name and state spelling are likely designed to bypass scanners and researchers who only search for the default Pantegana certificate and then move on.

The two suspicious IP addresses are:

  • 43.130.237.18 -> Asia Pacific Network Information Center, Pty. Ltd.
  • 119.28.107.67 -> Tencent Cloud Computing (Beijing) Co., Ltd.

It should be noted that both of the above IPs are detected as clean in VirusTotal. However, this score should never be used as a concrete metric. At best, the servers are hosting certificates spoofing a well-known malware family, and changes made to the infrastructure will require tracking in addition to known Pantegana servers.

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_9.webp
Figure 9: Certificate and JA4X Information for 43.130.237_18

   

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_10.webp
Figure 10: SSL History for the Second Suspicious IP

Stay Ahead of Adversary Infrastructure With Hunt

This blog post explored the intricacies of two prominent Remote Access Trojans (RATs) — Gh0st and Pantegana. We traced the historical development of these malware families, examined their deployment in recent cyberattacks, and analyzed the infrastructure supporting their operations. Our investigation revealed subtle yet significant modifications in certificates similar to Pantegana, highlighting the need for defenders and researchers not to rely on defaults for detection.

Join us at Hunt to stay ahead of emerging cyber threats. Our advanced tools and expert analyses will empower you to detect, understand, and mitigate sophisticated adversary infrastructure.

IPs/Hashes

IP AddressNotes/Hashes
47.120.59_37Gh0st C2 -
RDP Cert: D0A66FAFCC28FE8C1AEECFFCB56EFC76196AAC53CF64D438A172B5C0AF2EA6B4
60.204.235_186Gh0st C2
62.234.90_4Gh0st C2 - Private IP Cert: 81348A5F80957E3F584A216ECD636886BDA2F89FBC4B0E5A0F6CDABE815CB5E6
125.228.229_229Gh0st C2 - AnyDesk Cert: 6CDB3B8125F0975BB1299D88EB650CF6ED12CA31F21A65D15758C957C7B9F18A
154.92.19_225Pantegana C2 - Fingerprint: efbfbd6befbfbd4900efbfbddfb8efbfbd2aefbfbd6fefbfbd6913efbfbd717c341152efbfbd7aefbfbd1727efbfbd
198.98.62_227Pantegana C2
209.141.41_176Pantegana C2
209.141.46_83Pantegana C2
43.130.237_18Customized certificate similar to Pantegana - Fingerprint: 683c52efbfbd22efbfbd6658efbfbd121a317461efbfbd124c590f723d41412aefbfbd
119.28.107_67Customized certificate similar to Pantegana - Fingerprint: 5b7c750d72efbfbd4cefbfbd7befbfbd50462d34efbfbd563a4a7befbfbd51efbfbd77efbfbd6511
TABLE OF CONTENTS

Introduction

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable appearances in network intrusions. Gh0st RAT, with its numerous variants, has been a consistent tool in the pocket of threat actors for many years. Pantegana, a relatively new entrant, has also been used in high-profile attacks.

Today, we’ll briefly examine the history of both malware families, exploring how they’re detected and leveraged by threat actors to attack networks. Given that neither family (the old-school Gh0st in this case) has seen much limelight recently, our post will check up on the infrastructure of both families identified by our scanners.

Finally, our analysis will examine customized Pantegana certificates, likely used to evade researchers and network scanners.

Brief Overview of Capabilities

  • Pantegana RAT is an open-source, cross-platform botnet written in Golang targeting Windows, Linux, and macOS. The malware uses HTTPS for communications with the C2, supports direct command execution, handles multiple sessions, and facilitates file transfers and system fingerprinting.
    The GitHub page for Pantegana can be found here.
https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_1.webp
Figure 1: Pantegana RAT GitHub README
  • Gh0st RAT is a well-known malware extensively used in cyber espionage. Its source code dates back to the early 2000s and is available on select Chinese-speaking underground forums. Its adaptability and many spin-off versions make it a persistent threat to this day.

If you're familiar with Gh0st, you likely know one of the characteristics of its C2 infrastructure is its response packet flag.

That default flag, believed to be exclusive to the RATs C2 servers, is simply ‘Gh0st’. While this flag has many variations, seeing the malware’s name in response remains a consistent identifier when paired with additional information like server location, hosting provider, etc.

We already showed methods for hunting malicious infrastructure, including Gh0st RAT. We highlighted that sending almost a random sequence of bytes (we used the string “asdasd” repeated 10 times) will result in the expected response.

How Threat Actors Deploy the RATs

  • Cofense reported a phishing campaign disguised as an invoice dropping Gh0st RAT targeting a healthcare organization in mid-2023.

  • In June 2022, Volexity identified the threat actor DriftingCloud installing a handful of open-source malware to a compromised server, one of them being Pantegana. Interestingly, the threat actor in this report used customized TLS certificates similar to what we’ll cover below.

Gh0st Observations

While our scans have identified fewer than 10 servers for each malware family, this suggests threat actors have likely moved on to other open-source and even some private frameworks to conduct attacks. Another reason for the limited detections could be minor changes in source code, network communications with the controller, and moving away from default TLS certificates.

Noteworthy C2s will be explained in more detail below.

Analyze any of the 80+ malware and offensive security tools we are tracking here: https://app.hunt.io/active-c2s.

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_2.webp
Figure 2: Gh0st Server Detections in Hunt

47.120.59.37 (Aliyun Computing Co., LTD)

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_3.webp
Figure 3: Gh0st C2 Server

Our scanners encountered the Gh0st packet flag on port 6161 of the IP in Figure 3 above. Additionally, this infrastructure is associated with a domain, www.kuaidiyouhui.asia. “kuaidiyouhui” in Chinese translates to “courier or delivery discount” in English.

Lastly, the issuer and subject common name for the RDP service on port 3389 follows a naming convention we’ve previously covered for ShadowPad infrastructure and LightSpy infrastructure.

This time, the certificate is named “iZ80ugaqg8izq3Z”. The hashes for all certificates can be found in the Indicators section at the end of this post.

62.234.90.4 (Tencent Cloud Computing (Beijing) Co., Ltd)

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_4.webp
Figure 4: Suspicious Domain Names on Gh0st Infrastructure

The IP 62.234.90.4 hosts a self-signed RDP certificate with a common name formatted as a private IP address “10_0_16_7” using underscores instead of periods.

Figure 4 shows three suspicious domains currently resolving to this IP:

125.228.229.229 (Chunghwa Telecom Co., Ltd.)

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_5.webp
Figure 5: Self-signed AnyDesk Client certificate

What caught our attention for the above IP address was a self-signed certificate on port 7070, with the common name of “AnyDesk Client.” More interestingly, pivoting on this IOC, we find that just 2 additional IP addresses share this certificate across the internet.

Those IPs are:

  • 114.25.86.191
  • 125.229.22.79.

All three servers are located in Taiwan and use the same hosting provider/ASN.

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_6.webp
Figure 6: Pivot on AnyDesk Certificate Results

154.12.93.14 (Cogent Communications)

The final Gh0st IP we’ll examine was found to be hosting an X.509 certificate consistent with DcRAT (https://github.com/qwqdanchun/DcRat) servers.

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_7.webp
Figure 7: SSL History for Gh0st C2 also Hosting DcRAT

Pantegana Observations

The Pantegana RAT uses a distinctive default certificate for its servers good for 10 years. Below are the details:

Subject Fields:

  • Common Name (CN): localhost
  • Country: US
  • Organization: Pantegana Inc.
  • City: The Sewers
  • State: Hawaii

   

Issuer Fields:

  • Common Name (CN): Pantegana Root CA
  • Country: US
  • Organization: Pantegana Inc.
  • City: The Sewers
  • State: Hawaii

These certificate details can help identify standard Pantegana RAT servers during infrastructure analysis.

154.92.19.225 (Guangzhou Yisu Cloud Limited)

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_8.webp
Figure 8: Cobalt Strike and Pantegana RAT Detections

Before we discuss the customized certificates that caught our attention during research, the IP in Figure 8 also hosted a Cobalt Strike Team Server while concurrently controlling Pantegana agents.

Our research identified **two **servers using certificates that closely resemble the default Pantegana certificate, with a few notable differences. The details are as follows:

Subject Fields:

  • Common Name (CN): localhost
  • Country: US
  • Organization: Pant, Inc.
  • City: The Sewers
  • State: Hamai

   

Issuer Fields:

  • Common Name (CN): Pant Root CA
  • Country: US
  • Organization: Pant, Inc.
  • City: The Sewers
  • State: Hamai

These subtle changes in the organization name and state spelling are likely designed to bypass scanners and researchers who only search for the default Pantegana certificate and then move on.

The two suspicious IP addresses are:

  • 43.130.237.18 -> Asia Pacific Network Information Center, Pty. Ltd.
  • 119.28.107.67 -> Tencent Cloud Computing (Beijing) Co., Ltd.

It should be noted that both of the above IPs are detected as clean in VirusTotal. However, this score should never be used as a concrete metric. At best, the servers are hosting certificates spoofing a well-known malware family, and changes made to the infrastructure will require tracking in addition to known Pantegana servers.

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_9.webp
Figure 9: Certificate and JA4X Information for 43.130.237_18

   

https://app.hunt.io/images/blogs/ghost-and-pantegana/figure_10.webp
Figure 10: SSL History for the Second Suspicious IP

Stay Ahead of Adversary Infrastructure With Hunt

This blog post explored the intricacies of two prominent Remote Access Trojans (RATs) — Gh0st and Pantegana. We traced the historical development of these malware families, examined their deployment in recent cyberattacks, and analyzed the infrastructure supporting their operations. Our investigation revealed subtle yet significant modifications in certificates similar to Pantegana, highlighting the need for defenders and researchers not to rely on defaults for detection.

Join us at Hunt to stay ahead of emerging cyber threats. Our advanced tools and expert analyses will empower you to detect, understand, and mitigate sophisticated adversary infrastructure.

IPs/Hashes

IP AddressNotes/Hashes
47.120.59_37Gh0st C2 -
RDP Cert: D0A66FAFCC28FE8C1AEECFFCB56EFC76196AAC53CF64D438A172B5C0AF2EA6B4
60.204.235_186Gh0st C2
62.234.90_4Gh0st C2 - Private IP Cert: 81348A5F80957E3F584A216ECD636886BDA2F89FBC4B0E5A0F6CDABE815CB5E6
125.228.229_229Gh0st C2 - AnyDesk Cert: 6CDB3B8125F0975BB1299D88EB650CF6ED12CA31F21A65D15758C957C7B9F18A
154.92.19_225Pantegana C2 - Fingerprint: efbfbd6befbfbd4900efbfbddfb8efbfbd2aefbfbd6fefbfbd6913efbfbd717c341152efbfbd7aefbfbd1727efbfbd
198.98.62_227Pantegana C2
209.141.41_176Pantegana C2
209.141.46_83Pantegana C2
43.130.237_18Customized certificate similar to Pantegana - Fingerprint: 683c52efbfbd22efbfbd6658efbfbd121a317461efbfbd124c590f723d41412aefbfbd
119.28.107_67Customized certificate similar to Pantegana - Fingerprint: 5b7c750d72efbfbd4cefbfbd7befbfbd50462d34efbfbd563a4a7befbfbd51efbfbd77efbfbd6511

Related Posts:

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Nov 12, 2024

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Nov 12, 2024

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

RunningRAT’s Next Move: From Remote Access to Crypto mining For Profit
Nov 5, 2024

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

RunningRAT’s Next Move: From Remote Access to Crypto mining For Profit
Nov 5, 2024

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

Oct 31, 2024

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

Oct 31, 2024

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Nov 12, 2024

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.