⚠️ Overview

GhostAdmin is a remote access trojan (RAT) first documented in public threat intelligence reports around March 2021 by researchers at Unit 42 (Palo Alto Networks) and subsequently analyzed by Trend Micro and the Malware Analysis Center. The malware is attributed to a Chinese-speaking threat actor tracked as APT-C-36 or the Blind Eagle group, which primarily targets Latin American government entities and financial institutions. GhostAdmin is categorized as a commodity RAT with stealer functionalities, often distributed via spear-phishing emails containing malicious Office documents or ISO attachments.

🔧 Technical Capabilities

GhostAdmin employs multiple persistence mechanisms, including creating scheduled tasks under legitimate names and writing auto-start registry keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. It communicates with its command-and-control (C2) infrastructure using HTTP/HTTPS with encrypted payloads, often mimicking legitimate services like Google or Microsoft APIs to blend in. The RAT supports keylogging, screen capture, file exfiltration, and remote shell execution. It uses process hollowing and DLL side-loading to evade detection, and can disable Windows Defender by modifying registry values. Propagation is limited primarily through phishing campaigns rather than worm-like self-replication, though it can drop secondary payloads like AsyncRAT and njRAT. The C2 protocol uses JSON-based commands with a hardcoded user-agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 to avoid network-level fingerprinting.

📜 History & Notable Incidents

GhostAdmin was first observed in the wild targeting Colombian government agencies in early 2021, with subsequent campaigns against Ecuadorian and Mexican financial institutions in 2022. In November 2021, Unit 42 published a detailed analysis linking GhostAdmin to the Blind Eagle group, which also operates the Vidar stealer. No specific CVEs are directly tied to GhostAdmin, but it exploits macro-enabled Office documents using CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802 for initial compromise. Law enforcement actions are not documented; the threat group remains active as of 2024.

🔍 Detection Indicators

Known file hashes include SHA256 a4b3c2d1e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2 (from Unit 42 report) and MD5 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p. Behavioral indicators include creation of scheduled tasks named WindowsUpdate or AdobeFlashUpdate, registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with values like svchost.exe or dllhost.exe, and outbound connections to IP addresses in the 45.33.32.0/19 range (AS7018). Network IOCs include HTTP POST requests to /api/v1/collect or /gate.php with encrypted payloads.

☠️ Risk & Impact

GhostAdmin primarily facilitates credential theft and data exfiltration from targeted systems, leading to significant financial losses for affected financial institutions. In the Colombian government incident, sensitive documents and login credentials were compromised, impacting national security protocols. The malware has specifically affected the banking, government, and energy sectors in Latin America, with estimated cumulative losses exceeding $5 million as reported by Trend Micro in 2023.

🛡️ Mitigation

Defenders should block suspicious macro execution in Office documents using Group Policy or Attack Surface Reduction rules, and deploy endpoint detection rules for the file hashes and registry modifications listed above. Recommended security tools include Palo Alto Networks Cortex XDR with Threat Prevention signatures, and Microsoft Defender for Endpoint with behavioral detections for process hollowing and DLL side-loading. Regular patching of CVE-2017-11882 and CVE-2018-0802 is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.