HiddenGh0st Malware Attacking MS-SQL Servers

by Prapattimynk, Thursday, 21 September 2023 (5 months ago)
HiddenGh0st Malware Attacking MS-SQL Servers


Gh0st RAT is a remote control malware developed by the C. Rufus Security Team from China. Due to its source code being publicly available, malware developers use it as a reference as they continue developing numerous variants that are still actively used in attacks. Although the source code is public, Gh0st RAT is mainly used by threat actors based in China. Cases of Gh0stCringe RAT, a variant of Gh0st RAT, being distributed targeting database servers (MS-SQL, MySQL servers) were disclosed in a previous blog post. [1]

Numerous variants of Gh0st RAT are often used in attacks targeting MS-SQL servers. AhnLab Security Emergency response Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and publishes quarterly statistics through the ASEC Reports. The statistics categorize malware according to major categories such as backdoor, Trojan, HackTool, CoinMiner, etc., and they also cover the specific malware that are used in attacks within each category. Based on statistics from the second quarter of 2023, Gh0st RAT variants accounted for 29.0% of attack cases, making them the second most common, just behind Remcos RAT. [2]

Figure 1. Statistics on backdoors used in attacks against MS-SQL servers (Q2 2023)

ASEC has recently confirmed the distribution of a Gh0st RAT variant, which installs the Hidden rootkit, targeting poorly managed MS-SQL servers. Hidden, an open-source rootkit publicly accessible on GitHub, offers features that include hiding files, registry entries, and even itself, as well as providing the ability to protect processes. [3] Threat actors can potentially leverage these features to hide the presence of malware infections from users or hinder the removal of malware.

In this blog, the Gh0st RAT variant that installs the Hidden rootkit will be classified as HiddenGh0st. HiddenGh0st has been identified since at least 2022 and is still being distributed. Given the additional features added by the threat actor, including the ability to steal information from QQ Messenger, a platform predominantly utilized by Chinese users, it is suspected that Chinese users are the main target of these attacks.

Figure 2. HiddenGh0st being created by an MS-SQL server process

1. Analysis of HiddenGh0st

1.1. Initial Configuration

HiddenGh0st is distributed in a packed state to evade file detection. After decrypting the actual PE file encrypted in the DATA section, it is executed in the memory. At the same time, the configuration data is also transmitted in the size of 0x848.

Figure 3. Configuration data that is transmitted when the decrypted shellcode is executed

The transmitted configuration data is as follows. It not only includes the C&C URL, but it also supports a variety of configurations, such as the installation method, the name of the installation path and file, and whether to activate the rootkit.

OffsetDataDescription
0x0000“leifenghackyuankong.e3.luyouxia[.]net”C&C server address
0x012CNULLNot used
0x02580x3960 (14688)C&C server port number
0x025C0x0EE0Not used
0x0260“6gkIBfkS+qY=”Keylogging file name (“Default” upon being decrypted)
0x0292“tdC2pg==”Version information (“1.0” upon being decrypted)
0x02b2“QQ进程保护程序”Service name (Service mode)
0x0316“TX QQ”Service display name (Service mode)
0x0396SERVICE_DESCRIPTIONService configuration data (Service mode)
0x0496“5750b8de793d50a8f9eaa777adbf58d4”BITS registry configuration data
0x05980x0000External IP lookup status
0x059C0x0001Installation mode #1: Service
0x05A00x0000Installation mode #2: Startup Folder
0x05A40x0000without Rootkit
0x05A8“%SystemRoot%System32”Installation path name (Service mode)
0x060C“QQ进程保护程序.exe”Installation file name
0x063E0x0008Size of appended dummy data
0x06400x0007Property assigned to malware (Service mode)
FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM
0x0648NULLDownload URL
Table 1. Initial configuration data

Many of the configuration data include options that are deactivated, and one notable example is the URL used by the downloader thread. If the threat actor had set a download URL, it is likely that the download of additional malware from an external source would have also occurred upon executing the HiddenGh0st.

Among the deactivated configuration data, there is also an option to activate a feature that retrieves the infected system’s public IP address. If this feature is enabled, the public IP address from http://www.taobao.com/help/getip.php will be obtained and included in the data sent to the C&C server.

1.2. Installation Process

1.2.1. Installation Mode #1 – Service

If the installation mode specified in the configuration data is set to “Service”, the installation time of the current malware is first saved in the MarkTime value of the key in HKLMSYSTEMSelect. Then, HiddenGh0st references the configuration data to copy the malware and register it as a service. By specifying the “-auto” argument during service registration, the malware is subsequently launched with the same “-auto” argument while operating as a service.

Figure 4. MarkTime value where the installation time was saved

Additionally, the configuration data also includes the size of the dummy data that will be appended. When the configuration value is 0x0008, a 0x00800000-sized dummy data is appended to the end of the malware. Once the process reaches this point, the service is executed and the following command is used to delete the original file. If HiddenGh0st operates as a service, it executes itself again with the argument “-acsi” and then the main routine proceeds.

> C:Windowssystem32cmd.exe /c ping -n 2 127.0.0.1 > nul && del [Malware path] > nul
1.2.2. Installation Mode #2 – Startup Folder

If the installation method is set to “Startup Folder” in the configuration data that is transmitted when the malware is executed, HiddenGh0st maintains persistence by copying itself to the startup folder instead of registering as a service. First, saving the installation time in the MarkTime value of the HKLMSYSTEMSelect key is the same as when the installation mode is service. Afterward, HiddenGh0st copies the currently running malware to the startup folder. A notable characteristic of this process is the use of the DefineDosDeviceA() API to create a symbolic link for the target path of the copy and its use in the copy process. The string “.agmkis2” is used as the name of the symbolic link.

Figure 5. File being copied using the symbolic link

The copied malware is then given the hidden attribute and the dummy data is added as per the configuration. Once this process is complete, the copied malware is executed, and the original malware deletes itself.

1.3. Transmission of Infected System Information

HiddenGh0st, much like the typical Gh0st RAT, collects and transmits basic information about the infected system to the C&C server after communication has been established.

OffsetCollected Data
0x00000x66
0x0004Windows version information
0x00A0CPU speed
0x00A4Number of CPUs
0x00A8Public IP address
0x00ACPrivate IP address
0x00B0Host name of the infected system
0x01B0Number of webcams
0x01B4Internet connection delay time
0x01B8Network interface speed
0x01BCMemory capacity
0x01C0Local disk capacity
0x01C4“Default” string (decrypted from the configuration data) or the “5750b8de793d50a8f9eaa777adbf58d4” value of the BITS registry
0x01F6System boot time
0x0216“1.0” (version)
0x0236List of installed security products
0x0268Wow64 availability
0x026CMalware installation time (MarkTime)
0x029ELogged in QQ Messenger number
0x03A0Whether 3 minutes has passed since the last key input
0x03A4Internet connection status (MODEM, LAN, PROXY)
Table 2. List of information transmitted to the C&C server

The information about installed security products is obtained by checking if the names of currently running processes contain any of the following keywords.

“360tray.exe”, “360sd.exe”, “kxetray.exe”, “KSafeTray.exe”, “QQPCRTP.exe” ,”HipsTray.exe” ,”BaiduSd.exe” ,”baiduSafeTray.exe” ,”KvMonXP.exe” ,”RavMonD.exe” ,”QUHLPSVC.EXE” ,”QuickHeal” ,”mssecess.exe” ,”cfp.exe”, “SPIDer.exe”, “DR.WEB”, “acs.exe”, “Outpost”, “V3Svc.exe” ,”AYAgent.aye” ,”avgwdsvc.exe” ,”AVG” ,”f-secure.exe” ,”F-Secure” ,”avp.exe” ,”Mcshield.exe”, “NOD32”, “knsdtray.exe”, “TMBMSRV.exe”, “avcenter.exe”, “ashDisp.exe” ,”rtvscan.exe” ,”remupd.exe” ,”vsserv.exe”, “BitDefender”, “PSafeSysTray.exe”, “ad-watch.exe”, “K7TSecurity.exe”, “UnThreat.exe”, “UnThreat”

Among the data transmitted to the C&C server by HiddenGh0st, the QQ number of the currently running QQ Messenger is also included. Since QQ Messenger is primarily used by users who can communicate in Chinese, it is speculated that the threat actor’s main targets are Chinese-speaking users.

Figure 6. Routine to obtain the QQ number from QQ messenger

HiddenGh0st compresses the 0x3BC size data obtained in this way and then prepends 0x0F size data to it. The prepended data includes information such as the signature string “hx”, the size of the data to be sent, and the original data’s size. The original Gh0st RAT used a signature string called “Gh0st” just like its name to communicate with the C&C server. Nonetheless, due to the public availability of its source code, Gh0st RAT has spawned numerous variants, and it is worth noting that in the past, Gh0stCringe RAT also employed “xy” as its signature string.

OffsetSizeDataDescription
0x000x03“hx “Signature string
0x030x040x000000ABSize of the data to be sent (0x9C + 0x0F that is the size of the compressed file)
0x070x040x000003BCSize of the original data
0x0B0x040x00000002Hard-coded
Table 3. Data that is transmitted before encryption

The data ultimately goes through an encryption process before being sent to the C&C server.

Figure 7. Packet encryption routine
Figure 8. Communication packet with the C&C server

1.4. Performing Commands

The threat actor based HiddenGh0st on the original Gh0st RAT when developing it, so it supports basic commands similar to those in the original Gh0st RAT, such as FileManager, ScreenManager, KeyboardManager, SystemManager, ShellManager, etc. Of course, HiddenGh0st supports many more commands. Below is a list of commands that can be received from the C&C server for execution. Only the main categories have been categorized here, so it should be known that each command is actually responsible for many more features. Commands that operate as threads and continuously send data to the C&C server use port 80 of the C&C server.

CommandFeature
0x00Standby
0x01[FileManager] File management: Looks up file, uploads, downloads, deletes, renames, executes, decompresses via WinRAR, etc.
0x08Chat
0x0AService management: Looks up service, starts, deletes, changes settings, etc.
0x0BProcess check: Checks whether it is currently running
0x0CWindows check: Checks whether it is currently running
0x10[ScreenManager] Captures screen, exfiltrates and changes clipboard contents
0x1CExecutes file
0x1DTerminates explorer (explorer.exe)
0x1EDeletes Internet Explorer cache
0x1FPort forwards
0x2D[KeyboardManager] Keylogger
0x33Outputs audio
0x34Exfiltrates QQ Messenger information
0x36[SystemManager] System management: Collects the list of processes/Windows supported by Gh0st RAT, steals Dialup account information, and has features to terminate processes. Furthermore, executes commands, controls threads, collects/modifies host files, etc.
0x48Message popup
0x49Sets the HKLMSYSTEMCurrentControlSetServicesBITS / 5750b8de793d50a8f9eaa777adbf58d4 value
0x4A[ShellManager] Remote shell: Remote shell feature supported by Gh0st RAT. Furthermore, steals account credentials via Mimikatz
0x4BShuts down computer
0x4CRestarts
0x4DUninstalls
0x4EEvent cleanup
0x52Etc: Opens/Closes CD-ROM, hides/reveals taskbar, switches left and right mouse buttons, etc.
0x60Download and execute files from an external source
0x62Copies malware to the startup folder
0x63Sets resolution
0x64Creates and executes file (HIDE)
0x65Creates and executes file (SHOW)
0x66Plugin installation: Downloads and executes the plugin.dll file
0x67URL connection: Connects to a specific website via Internet Explorer (HIDE)
0x68URL connection: Connects to a specific website via Internet Explorer (SHOW)
0x69Sets the HKLMSYSTEMSetup/Host value
0x6AStandby
0x6DRemote control-related: Activates/deactivates remote desktop, changes remote desktop port number, activates guest account, activates Internet sharing, configures/deletes user account, etc.
0x82Registry management
0x8ASpeculated as plugin-related: Looks up file, downloads/uploads, loads in the memory and executes
Table 4. List of commands supported by HiddenGh0st

Due to the wide range of features provided by HiddenGh0st, it offers even more features on top of the features supported by the original Gh0st RAT and the typical RAT malware.

At the initial execution stage, there were two encoded strings received as arguments from the configuration data. One is the string “1.0”, which is presumed to be the version information of the malware, and the other is the string “Default”. The latter is presumed to be used as an identifier for the malware since it is sent to the C&C server along with information about the infected system. If the threat actor activates the keylogger command, the collected keylogging data is saved in the %SystemDirectory% path, and the file name used is the string “6gkIBfkS+qY=.key”, which is the “Default” string before being decrypted.

Figure 9. Location where the keylogging data is saved

HiddenGh0st has a feature that installs Mimikatz, allowing it to steal account credentials from infected systems. In addition to the remote shell, the ShellManager class, responsible for the remote shell feature in the original Gh0st RAT, includes a command that installs Mimikatz under the name “GetMP.exe” and executes the following command. The malware transmits the account credentials collected from infected systems through processes like these to the C&C server.

> GetMP privilege::debug sekurlsa::logonpasswords exitrn
Figure 10. Execution routine of Mimikatz

Among the newly added commands, there are many features related to remote control using RDP. These features can activate remote desktop or Internet sharing, change the port number for the remote desktop, and even use a command like the one below to enable guest accounts and register them in the administrator group.

> net user guest /active:yes && net user guest 123456 && net localgroup administrators guest /add
Figure 11. Routine to activate remote desktop and change the port number

In addition, it also includes features that were supported by past RAT malware, such as commands to delete the cache of Internet Explorer, open or close the CD-ROM, hide the taskbar, and swap the left and right buttons of the mouse.

> cmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Although the specific purpose has not been confirmed, a feature exists among the commands that sets the registry key value like the following. If the value “5750b8de793d50a8f9eaa777adbf58d4” is set through the threat actor’s command, it will be included with the basic information that HiddenGh0st transmits to the C&C server.

  • HKLMSYSTEMCurrentControlSetServicesBITS / 5750b8de793d50a8f9eaa777adbf58d4
  • HKLMSYSTEMSetup / Host
Figure 12. Registry key where the data received from the threat actor is written

2. Analysis of HiddenGh0st’s Rootkit

Hidden is an open-source rootkit driver publicly available on GitHub. It utilizes mini-filter drivers and kernel callback functions provided by the latest operating systems to hide files and registries, as well as protect processes. Due to these features, if used for malicious purposes, it can be employed to hide malware and prevent the termination of malicious processes. The CoinMiner known as PurpleFox also customized Hidden and utilized it in its attacks to hide the malware and obstruct removal efforts. [4]

HiddenGh0st installs the internally embedded Hidden rootkit during the execution process and uses it for the purpose of hiding and protecting the malware that acts as a backdoor. In this section, we will first analyze the basic features of the Hidden rootkit before outlining the process through which HiddenGh0st utilizes Hidden.

2.1. Analysis of Hidden Rootkit

2.1.1. Basic Operation

Hidden first reads the Config registered in the installation registry. These registry values are the configuration data automatically loaded and applied when the rootkit driver is loaded. For example, the following registry values were generated to transmit 4 commands.

Figure 13. Configuration data containing commands

After reading the initial configuration data, the initialization process of the process monitor, mini-filter, registry filter, and so on begins. Once each initialization process is completed, its protection and hiding features are performed based on the read configuration data. Finally, Stealth Mode, which is responsible for hiding the driver itself, can be initiated by referencing the hide settings, specifically the “Hid_StealthMode” value that can be set in the above registry. Stealth Mode hides the files and registry keys of Hidden, making it impossible to stop the corresponding services. Instead, a tool called HiddenCLI.exe can be used to deliver commands to deactivate and restore the driver.

RegistryFeature
Hid_StateActivates driver
Hid_StealthModeSelf-stealth mode
Hid_HideFsDirsHides directory
Hid_HideFsFilesHides file
Hid_HideRegKeysHides registry key
Hid_HideRegValuesHides registry value
Hid_IgnoredImagesSpecifies exception process
Hid_ProtectedImagesSpecifies protection process
Hid_HideImagesHides process
Table 5. Registry commands referenced by Hidden

Additionally, HiddenCLI.exe uses the following IOCTL when transmitting commands to the Hidden driver.

IOCTLNumberFeature
HID_IOCTL_SET_DRIVER_STATE0x800Sets driver status (Activate/Deactivate)
HID_IOCTL_GET_DRIVER_STATE0x801Returns current driver status
HID_IOCTL_SET_STEALTH_MODE0x802Sets stealth mode
HID_IOCTL_ADD_HIDDEN_OBJECT0x83CAdds stealth target
HID_IOCTL_REMOVE_HIDDEN_OBJECT0x83DRemoves stealth target
HID_IOCTL_REMOVE_ALL_HIDDEN_OBJECT0x83ERemoves all stealth targets
HID_IOCTL_ADD_OBJECT0x846Adds exception/protection process
HID_IOCTL_GET_OBJECT_STATE0x847Returns exception/protection process status
HID_IOCTL_SET_OBJECT_STATE0x848Sets exception/protection process status
HID_IOCTL_REMOVE_OBJECT0x849Removes exception/protection process
HID_IOCTL_REMOVE_ALL_OBJECT0x84ARemoves all exception/protection processes
Table 6. List of IOCTL numbers used by Hidden to transmit commands
2.1.2. Hiding Files

Hidden utilizes a file system mini-filter driver to hide files. File system filter drivers are kernel-mode components provided by Windows that allow monitoring and modification of file system requests such as opening, reading, and modifying files and directories. Mini-filter drivers are models that can control file systems using the Windows filter manager. As mentioned above, this allows file-related activities to be monitored and controlled without using kernel mode hooking techniques.

In Hidden, the monitored I/O operations include IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL. IRP_MJ_CREATE is triggered when a handle is opened for a file or device object, and Hidden registers a pre-operation callback for this request. IRP_MJ_DIRECTORY_CONTROL is triggered when a directory is looked up, and Hidden registers both the pre-operation and post-operation callbacks for this request.

When monitoring IRP_MJ_CREATE, if the name of the file or directory targeted for handle opening matches an entry in the stealth target list, Hidden blocks access to them by returning STATUS_NO_SUCH_FILE. In the case of directory lookups, when monitoring IRP_MJ_DIRECTORY_CONTROL, Hidden removes the stealth target files and directories from the information obtained as a result of the request if the request matches an entry in the stealth list, effectively rendering them imperceptible to the user.

Figure 14. STATUS_NO_SUCH_FILE being returned for a stealth target

The filter manager loads each mini-filter driver at a unique altitude when registering them. Mini-filter drivers cannot be loaded with duplicate values, and Microsoft manages these altitudes for driver files. Additionally, Hidden is not an officially signed and registered driver, but in open-source, it uses 370030 as its altitude. (This is the same value as the altitude of Microsoft’s example mini-filter driver called passThrough.sys)

Figure 15. Altitude that can be seen in the Hidden.inf file
2.1.3. Protecting and Hiding Processes

Hidden provides a process protection feature and utilizes the ObRegisterCallbacks() function for these operations. This function registers callback routines that receive notifications about specific pre- and post-operations related to process and thread objects. Therefore, callback routines for actions such as the creation and duplication of handles for each object are registered, providing control by calling the registered callback routine first whenever a relevant operation occurs. The ObRegisterCallbacks() function, like mini-filter drivers, also requires an altitude value and designating it as 1000 is a characteristic of this function.

When looking at the OB_OPERATION_REGISTRATION structure specified during the ObRegisterCallbacks() function call, the registration of callback functions (ProcessPreCallback, ThreadPreCallback) for pre-operations related to handle creation and duplication for processes and threads (OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE) can be observed. As shown below, this callback function modifies the access permissions that were set when obtaining the handle for the protection target process to the minimum permission level. This modification makes it so that actions such as memory reading/writing and process termination cannot be performed.

Figure 16. Routine to change the permission

Additionally, commands supported by Hidden include a feature to exclude specific designated processes from being hidden, and it maintains a separate process table to manage these exception processes. This table uses the PsSetCreateProcessNotifyRoutineEx() function to monitor the creation and termination of processes.

While not included in the rootkit used by HiddenGh0st, the source code does support process hiding functionality using Direct Kernel Object Manipulation (DKOM). The Windows kernel uses a structure called ‘EPROCESS’ to manage processes. EPROCESS is a doubly linked list structure where different processes are connected to each other. The rootkit receives the PID of the target process that will be hidden as an argument and accesses the EPROCESS of that process. It then checks the processes linked to Flink and Blink. Next, it links the processes that are connected before and after itself. Afterward, it ensures that its own Flink and Blink are pointing to itself, effectively excluding it from the doubly linked list of EPROCESS.

Figure 17. Process hiding feature supported by the Hidden source code
2.1.4. Hiding Registries

Hidden provides a registry key and value hiding feature and utilizes the CmRegisterCallbackEx() function for these operations. This function registers registry callback routines, and when registry-related operations occur, the registered callback routines are called first, providing control in this manner. The CmRegisterCallbackEx() function, like mini-filter drivers, also requires an altitude value. In Hidden, an arbitrary value of 320000 is used.

Hidden monitors the following 10 registry operations within its callback functions. In each of these functions, it checks whether the registry keys and values targeted by each operation are protected by the stealth command and whether the caller is an exempt process. Depending on these conditions, it may return values such as STATUS_ACCESS_DENIED or STATUS_NOT_FOUND, causing errors to occur upon performing lookups or making modifications impossible.

Figure 18. List of registry operations targeted for monitoring

2.2. Hidden Rootkit of HiddenGh0st

HiddenGh0st creates the rootkit file contained in the DATA section under the path “%SystemDirectory%driversQAssist.sys”. Depending on whether it’s an x86 or x64 architecture, it installs the respective rootkit. Afterward, it registers the created rootkit as the QAssist service, and the driver is loaded using the NtLoadDriver() function.

Figure 19. Routine to set the altitude to 370030

The Hidden rootkit created by HiddenGh0st differs from the original source code in two key ways. The first difference is that the routine responsible for reading and configuring “Hid_StealthMode” is modified, so even if this value is not set, the rootkit activates the hiding feature by default when the driver is loaded. The second difference is that the “Hid_HideImages” setting, which is responsible for hiding processes, is deactivated. Additionally, this matches the Hidden binary uploaded to GitHub, but this is because the process hiding feature was added after the binary compiled by the developer was uploaded.

The data set by HiddenGh0st is IgnoredImages, and since it operates as a service, it designates the service process as an exempt process.

Figure 20. Registered QAssist rootkit service

The initial configuration includes only Hid_IgnoredImages, but the IOCTL command is later used to designate the stealth and exception target. First, the HiddenGh0st malware file and the HiddenGh0st service registered in the registry are added as targets to hide. Then, the HiddenGh0st process is added to the list of exception processes along with the “lsass.exe”, “lsm.exe”, and “audiodg.exe” system processes.

Figure 21. Command to add the LSASS process to the list of exception processes.

3. Conclusion

Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Admins must also use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.

V3 should be updated to the latest version so that malware infection can be prevented. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.

File Detection
– Malware/Win32.RL_Generic.R356012 (2020.11.22.01)
– Trojan/Win.Generic.C4446276 (2021.04.30.03)
– Malware/Gen.Generic.C3228648 (2019.05.09.04)

Behavior Detection
– Malware/MDP.Behavior.M29
– DefenseEvasion/MDP.Event.M1423

IOC
MD5

– 69cafef1e25734dea3ade462fead3cc9: HiddenGh0st
– 0d92b5f7a0f338472d59c5f2208475a3: Hidden x86 Rootkit (QAssist.sys)
– 4e34c068e764ad0ff0cb58bc4f143197: Hidden x64 Rootkit (QAssist.sys)

C&C
– leifenghackyuankong.e3.luyouxia[.]net:14688

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.