Behind this malware, a well-established strategy to infect its targets. According to Google’s Mandiant team, PLAYFULGHOST arrives on its victims’ computers via phishing emails or “SEO poisoning” techniques. These involve manipulating search engine results to trick users into downloading fake versions of legitimate software, such as the LetsVPN VPN app.
VPNs targeted
In the case of phishing emails, PLAYFULGHOST hides in malicious RAR archives. Presented as image files with a “.jpg” extension, these archives actually contain a malicious Windows executable. Once opened, it downloads and installs PLAYFULGHOST from a remote server.
With SEO poisoning, the scenario is different. Users come across links offering a fake installation of LetsVPN. The installation then triggers a complex process: an intermediate file takes care of recovering the components necessary for the deployment of the malware.
To make its execution discreet, PLAYFULGHOST relies on advanced techniques such as “DLL search order hijacking” and sideloading. These methods allow malicious files to be executed in memory, without leaving visible traces.
Once installed, PLAYFULGHOST doesn’t do things by halves. It collects as much information as possible: keystrokes, screenshots, system metadata, clipboard contents, and even users’ QQ accounts. It is also capable of disabling the mouse and keyboard, cleaning Windows event logs, or even deleting the caches and profiles of browsers like Chrome or Firefox.
That’s not all. PLAYFULGHOST can also deploy additional tools, such as Mimikatz, used to steal passwords, or a rootkit that hides files and processes linked to the malware. Another formidable weapon is the open-source Terminator utility, capable of disabling security software using a technique known as “Bring Your Own Vulnerable Driver” (BYOVD).
Researchers believe that PLAYFULGHOST primarily targets Chinese-speaking Windows users. The malware indeed seems to be interested in popular applications in this region, such as QQ, Sogou, or even 360 Safety. Additionally, it relies on lures around LetsVPN, an app also prevalent in these communities.
If PLAYFULGHOST is reminiscent in certain aspects of Gh0st RAT, it far surpasses it in terms of sophistication and versatility. For users, vigilance remains essential: avoiding opening suspicious files and favoring software downloaded from reliable sources are essential measures to limit the risks.
🟣 To not miss any news on the WorldOfSoftware, , .
/cdn.vox-cdn.com/uploads/chorus_asset/file/23952435/HT025_tikTok_0006.jpg)
