Gh0st and Pantegana: Two RATs that Refuse to Fade Away

Introduction

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable appearances in network intrusions. Gh0st RAT, with its numerous variants, has been a consistent tool in the pocket of threat actors for many years. Pantegana, a relatively new entrant, has also been used in high-profile attacks.

Today, we’ll briefly examine the history of both malware families, exploring how they’re detected and leveraged by threat actors to attack networks. Given that neither family (the old-school Gh0st in this case) has seen much limelight recently, our post will check up on the infrastructure of both families identified by our scanners.

Finally, our analysis will examine customized Pantegana certificates, likely used to evade researchers and network scanners.

Brief Overview of Capabilities

• Pantegana RAT is an open-source, cross-platform botnet written in Golang targeting Windows, Linux, and macOS. The malware uses HTTPS for communications with the C2, supports direct command execution, handles multiple sessions, and facilitates file transfers and system fingerprinting.
  The GitHub page for Pantegana can be found here.

• Gh0st RAT is a well-known malware extensively used in cyber espionage. Its source code dates back to the early 2000s and is available on select Chinese-speaking underground forums. Its adaptability and many spin-off versions make it a persistent threat to this day.

If you're familiar with Gh0st, you likely know one of the characteristics of its C2 infrastructure is its response packet flag.

That default flag, believed to be exclusive to the RATs C2 servers, is simply ‘Gh0st’. While this flag has many variations, seeing the malware’s name in response remains a consistent identifier when paired with additional information like server location, hosting provider, etc.

We already showed methods for hunting malicious infrastructure, including Gh0st RAT. We highlighted that sending almost a random sequence of bytes (we used the string “asdasd” repeated 10 times) will result in the expected response.

How Threat Actors Deploy the RATs

• Cofense reported a phishing campaign disguised as an invoice dropping Gh0st RAT targeting a healthcare organization in mid-2023.

• In June 2022, Volexity identified the threat actor DriftingCloud installing a handful of open-source malware to a compromised server, one of them being Pantegana. Interestingly, the threat actor in this report used customized TLS certificates similar to what we’ll cover below.

Gh0st Observations

While our scans have identified fewer than 10 servers for each malware family, this suggests threat actors have likely moved on to other open-source and even some private frameworks to conduct attacks. Another reason for the limited detections could be minor changes in source code, network communications with the controller, and moving away from default TLS certificates.

Noteworthy C2s will be explained in more detail below.

Analyze any of the 80+ malware and offensive security tools we are tracking here: https://app.hunt.io/active-c2s.

47.120.59.37 (Aliyun Computing Co., LTD)

Our scanners encountered the Gh0st packet flag on port 6161 of the IP in Figure 3 above. Additionally, this infrastructure is associated with a domain, www.kuaidiyouhui.asia. “kuaidiyouhui” in Chinese translates to “courier or delivery discount” in English.

Lastly, the issuer and subject common name for the RDP service on port 3389 follows a naming convention we’ve previously covered for ShadowPad infrastructure and LightSpy infrastructure.

This time, the certificate is named “iZ80ugaqg8izq3Z”. The hashes for all certificates can be found in the Indicators section at the end of this post.

62.234.90.4 (Tencent Cloud Computing (Beijing) Co., Ltd)

The IP 62.234.90.4 hosts a self-signed RDP certificate with a common name formatted as a private IP address “10_0_16_7” using underscores instead of periods.

Figure 4 shows three suspicious domains currently resolving to this IP:

• zchyedu.com
• www.zchyedu.com
• img.zchyedu.com

125.228.229.229 (Chunghwa Telecom Co., Ltd.)

What caught our attention for the above IP address was a self-signed certificate on port 7070, with the common name of “AnyDesk Client.” More interestingly, pivoting on this IOC, we find that just 2 additional IP addresses share this certificate across the internet.

Those IPs are:

• 114.25.86.191
• 125.229.22.79.

All three servers are located in Taiwan and use the same hosting provider/ASN.

154.12.93.14 (Cogent Communications)

The final Gh0st IP we’ll examine was found to be hosting an X.509 certificate consistent with DcRAT (https://github.com/qwqdanchun/DcRat) servers.

Pantegana Observations

The Pantegana RAT uses a distinctive default certificate for its servers good for 10 years. Below are the details:

Subject Fields:

• Common Name (CN): localhost
• Country: US
• Organization: Pantegana Inc.
• City: The Sewers
• State: Hawaii

   

Issuer Fields:

• Common Name (CN): Pantegana Root CA
• Country: US
• Organization: Pantegana Inc.
• City: The Sewers
• State: Hawaii

These certificate details can help identify standard Pantegana RAT servers during infrastructure analysis.

154.92.19.225 (Guangzhou Yisu Cloud Limited)

Before we discuss the customized certificates that caught our attention during research, the IP in Figure 8 also hosted a Cobalt Strike Team Server while concurrently controlling Pantegana agents.

Our research identified **two **servers using certificates that closely resemble the default Pantegana certificate, with a few notable differences. The details are as follows:

Subject Fields:

• Common Name (CN): localhost
• Country: US
• Organization: Pant, Inc.
• City: The Sewers
• State: Hamai

   

Issuer Fields:

• Common Name (CN): Pant Root CA
• Country: US
• Organization: Pant, Inc.
• City: The Sewers
• State: Hamai

These subtle changes in the organization name and state spelling are likely designed to bypass scanners and researchers who only search for the default Pantegana certificate and then move on.

The two suspicious IP addresses are:

• 43.130.237.18 -> Asia Pacific Network Information Center, Pty. Ltd.
• 119.28.107.67 -> Tencent Cloud Computing (Beijing) Co., Ltd.

It should be noted that both of the above IPs are detected as clean in VirusTotal. However, this score should never be used as a concrete metric. At best, the servers are hosting certificates spoofing a well-known malware family, and changes made to the infrastructure will require tracking in addition to known Pantegana servers.

   

Stay Ahead of Adversary Infrastructure With Hunt

This blog post explored the intricacies of two prominent Remote Access Trojans (RATs) — Gh0st and Pantegana. We traced the historical development of these malware families, examined their deployment in recent cyberattacks, and analyzed the infrastructure supporting their operations. Our investigation revealed subtle yet significant modifications in certificates similar to Pantegana, highlighting the need for defenders and researchers not to rely on defaults for detection.

Join us at Hunt to stay ahead of emerging cyber threats. Our advanced tools and expert analyses will empower you to detect, understand, and mitigate sophisticated adversary infrastructure.

IPs/Hashes

IP Address	Notes/Hashes
47.120.59_37	Gh0st C2 - RDP Cert: D0A66FAFCC28FE8C1AEECFFCB56EFC76196AAC53CF64D438A172B5C0AF2EA6B4
60.204.235_186	Gh0st C2
62.234.90_4	Gh0st C2 - Private IP Cert: 81348A5F80957E3F584A216ECD636886BDA2F89FBC4B0E5A0F6CDABE815CB5E6
125.228.229_229	Gh0st C2 - AnyDesk Cert: 6CDB3B8125F0975BB1299D88EB650CF6ED12CA31F21A65D15758C957C7B9F18A
154.92.19_225	Pantegana C2 - Fingerprint: efbfbd6befbfbd4900efbfbddfb8efbfbd2aefbfbd6fefbfbd6913efbfbd717c341152efbfbd7aefbfbd1727efbfbd
198.98.62_227	Pantegana C2
209.141.41_176	Pantegana C2
209.141.46_83	Pantegana C2
43.130.237_18	Customized certificate similar to Pantegana - Fingerprint: 683c52efbfbd22efbfbd6658efbfbd121a317461efbfbd124c590f723d41412aefbfbd
119.28.107_67	Customized certificate similar to Pantegana - Fingerprint: 5b7c750d72efbfbd4cefbfbd7befbfbd50462d34efbfbd563a4a7befbfbd51efbfbd77efbfbd6511