PLAYFULGHOST Malware: Trojanized VPN Apps Used in Sophisticated Cyber Attacks

Cybersecurity researchers have discovered a powerful malware called PLAYFULGHOST. It boasts an arsenal of spying capabilities, including keylogging, screen capture, audio recording, and file manipulation. Googleโ€™s Managed Defense team discovered this malware. PLAYFULGHOST has similar functions to the notorious Gh0st RAT, whose source code was leaked in 2008. However, this new strain is far more sophisticated and has been weaponized through phishing emails and SEO poisoning techniques. Moreover, it targets unsuspecting users through compromised VPN apps like LetsVPN.

How Trojanized VPN Apps Are Spreading the Dangerous PLAYFULGHOST Malware?

PLAYFULGHOST uses tricky methods to infiltrate victimsโ€™ systems. One phishing campaign tricks users into extracting a malicious RAR archive disguised as a harmless image file. Once opened, the malware downloads and installs PLAYFULGHOST from a remote server. On the contrary, SEO poisoning misleads users into downloading trojanized VPN installers for LetsVPN. Upon execution, these compromised installers deploy interim payloads that eventually retrieve and load PLAYFULGHOST into memory. Attackers use DLL hijacking and side-loading techniques to infiltrate malicious code into legitimate processes, evading detection.

Extensive Features for Espionage and Sabotage

PLAYFULGHOST is built for endurance and stealth. It can entrench itself into a system using Run registry keys, scheduled tasks, and the Windows Startup folder, ensuring it remains active even after reboots. Its capabilities extend beyond espionage, allowing attackers to:

  • Capture keystrokes, screenshots, and audio.
  • Harvest system metadata and account details, including QQ and messaging profiles.
  • Wipe clipboard content and delete browser caches for Chrome, Firefox, and QQ.
  • Perform file operations and block mouse and keyboard inputs.

Moreover, it deploys tools like Mimikatz for credential theft and a rootkit to hide its presence. The malware also integrates an open-source utility called Terminator, which exploits vulnerable drivers to disable security processes.

The use of LetsVPN and the focus on apps like QQ and 360 Safety indicate that Chinese-speaking Windows users are the main targets. In a related campaign, fake installers for Google Chrome were used to distribute Gh0st RAT through a dropper dubbed Gh0stGambit. PLAYFULGHOST malwareโ€™s rise highlights the evolving complexity of cyber threats, making vigilance and robust security measures more crucial than ever.

Checkout: Huawei Mate XTs: The Worldโ€™s First Triple-Screen Foldable Phone Gets a Successor โ€“ PhoneWorld

PTA Taxes Portal

Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal

Explore NowFollow us on Google News!

Laiba Mohsin

Laiba is an Electrical Engineer seeking a placement to gain hands-on experience in relevant areas of telecommunications. She likes to write about tech and gadgets. She loves shopping, traveling and exploring things.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
>