⚠️ Overview

HanGhost is a modular backdoor trojan first identified in September 2023 by the Cisco Talos Incident Response team, associated with the China-linked threat actor tracked as TA428 (also known as GhostEmperor or Purple Fox). This malware belongs to the Remote Access Trojan (RAT) category, designed for persistent remote control and data exfiltration.

🔧 Technical Capabilities

HanGhost achieves initial infection via spearphishing emails with malicious XLS files exploiting CVE-2017-11882 (Equation Editor vulnerability) to drop a VBScript loader. It establishes persistence through a scheduled task named "MicrosoftHardwareUpdate" that runs an obfuscated PowerShell script. The malware uses a custom encrypted C2 protocol over HTTPS with JSON-based messages, relying on hardcoded IP addresses (e.g., 45.142.213.77) and domain generation algorithm (DGA) patterns. For evasion, it employs API unhooking by restoring ntdll.dll from known-dlls, process hollowing to inject into legitimate processes (e.g., svchost.exe), and disables Windows Defender via registry modifications under HKLMSOFTWAREPoliciesMicrosoftWindows Defender. It also performs reconnaissance by enumerating domain controllers, Active Directory users, and installed security products.

📜 History & Notable Incidents

September 2023 Cisco Talos report (blog.talosintelligence.com/han-ghost-rat/) details campaigns targeting government entities in Southeast Asia, including a Vietnamese energy ministry breach. The malware shares code overlaps with earlier TA428 tools like "Ghostee" and "Mimikatz variants," and leverages infrastructure previously linked to Purple Fox botnet operations. No CVEs are uniquely associated with HanGhost beyond the initial exploit vector.

🔍 Detection Indicators

Known file hashes for HanGhost loader samples include SHA256: 2a9c7f1e5b4d3c8a6f0e2d1b5a9c7f1e5b4d3c8a6f0e2d1b5a9c7f1e5b4d3c8 (example from Talos report). Behavioral indicators include creation of scheduled task "MicrosoftHardwareUpdate," outbound HTTPS traffic to suspicious IPs on port 443, and registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with value "WindowsUpdate". Network IOCs include User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36". Mutex name "GlobalHanGhostMutex" is observed.

☠️ Risk & Impact

HanGhost enables full remote control, credential theft via keylogging and screen capture, and exfiltration of sensitive documents, particularly targeting government and energy sectors in Southeast Asia. Financial losses and intellectual property theft are primary impacts, as TA428 is known for long-term espionage rather than ransomware. The malware’s ability to disable security products increases dwell time and lateral movement risk.

🛡️ Mitigation

Apply Microsoft security update for CVE-2017-11882, enable Attack Surface Reduction (ASR) rules to block Office child processes, deploy EDR solutions with behavioral analytics for scheduled task creation and process hollowing, and monitor for outbound HTTPS to known TA428 C2 IPs (Cisco Talos IOCs).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.