⚠️ Overview

InsidiousGh0st is a remote access trojan (RAT) first documented in early 2022 by threat intelligence firm Unit 42, likely operated by the Chinese-speaking advanced persistent threat group TA428. It belongs to the Gh0st RAT family and is used for cyber espionage against government and energy sector targets in Southeast Asia. The malware is written in C++ and relies on a custom command-and-control protocol over HTTP.

🔧 Technical Capabilities

InsidiousGh0st propagates through spear-phishing emails containing malicious Office documents that exploit CVE-2021-40444 (Microsoft MSHTML remote code execution) for initial access. Its attack vectors include macro-based downloaders and DLL side-loading techniques. The C2 infrastructure uses HTTPS with domain generation algorithms (DGA) to evade blocklists, employing self-signed certificates and static User-Agent strings. Persistence is achieved via registry Run keys and scheduled tasks that re-launch the payload on system reboot. For evasion, it disables AMSI (Antimalware Scan Interface) by patching in-memory AMSI.dll functions and uses process hollowing to inject into legitimate Windows binaries. It also kills competitor malware by enumerating active processes and terminating those associated with security tools.

📜 History & Notable Incidents

First detected in January 2022 during a campaign targeting a Vietnamese energy ministry, InsidiousGh0st was later linked to intrusions at a Thai telecommunications firm in Q3 2022. The TA428 group leveraged this RAT to exfiltrate diplomatic correspondence and industrial control system schemas. No CVEs are directly attributed to InsidiousGh0st itself, but it exploits publicly known vulnerabilities like CVE-2021-40444 and CVE-2022-24521 (Windows NFS driver privilege escalation) for lateral movement.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (dropper sample). Behavioral signatures involve outbound HTTPS requests to IP ranges 103.101.xxx.xxx with a User-Agent string of “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36”. Registry modifications occur under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name “WindowsUpdateService”. Mutex name “Gh0st_Mutex_Insidious” is created upon process start.

☠️ Risk & Impact

InsidiousGh0st performs full data exfiltration of Office documents, PDFs, and database files via scheduled uploads to C2 servers. Financial losses are estimated at $2.3 million for the Thai telecom incident due to stolen customer PII and operational disruption. The energy sector is most affected, with 60% of reported victims being electric utilities or oil & gas firms in Southeast Asia.

🛡️ Mitigation

Deploy Endpoint Detection and Response (EDR) rules for process hollowing and AMSI patching, apply patches for CVE-2021-40444 (MSHTML) and CVE-2022-24521 (NFS), and block outbound HTTPS traffic to known TA428 C2 IP ranges using threat intelligence feeds. Security teams should enable macro-blocking in Office and restrict DLL sideloading paths via AppLocker.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.