As the old saying goes, a knife is a tool that is neither inherently good nor bad in itself, but it can be seen as either good or bad depending on how it is used. In the hands of a cybercriminal, the GhostAdmin tool can be devastating. The Cylance Threat Guidance team recently released this blog outlining the technical details of this threat. Since its discovery in mid-January 2017, new variants have been showing up on an almost weekly basis, and all with low conviction ratings by traditional antivirus (AV) products.

The GhostAdmin botnet malware was discovered by the MalwareHunterTeam and targets both individual users and companies. It aims to harvest sensitive information from the victims and recruit their machines (unknowingly) to join a worldwide botnet network. From there, the infected host can be used for various malicious purposes, including DDOS attacks, data theft, payload delivery, or remote control. In fact, GhostAdmin goes so far as to hide itself and its logs under the pretense of being logs for the AV product Symantec Protection, by storing them in a Symantec folder.

Watch the full video of CylancePROTECT vs. GhostAdmin here:

The Many Faces of GhostAdmin

This full-service malware is capable of many different nefarious activities, and cybercriminals are using it to compromise both large enterprises, small businesses, and individuals. The malware works by infecting computers, gaining boot persistence, and establishing a communications channel with its command and control (C2) server, which is an IRC channel.

GhostAdmin's authors access this IRC channel and issue commands that will be picked up by all connected bots (infected computers). The malware's special features revolve around the ability to collect data from infected computers and silently send it to a remote server.

If GhostAdmin goes undetected on one or more enterprise systems for any length of time, then the impact to the infected company could be significant — from stolen data to lateral movement to robbed credentials. Other components of this malware also can take complete captures of the user’s screen or even use the system’s microphone to record ongoing conversations. The MalwareHunterTeam indicates that even with its small presence, gigabytes of data has been stolen from both personal and corporate machines using GhostAdmin.

CylancePROTECT® Stops GhostAdmin Dead

CylancePROTECT predicts and prevents threats before they cause harm. If you use our endpoint protection product, CylancePROTECT, you are already protected from this attack. CylancePROTECT prevents the execution of the initial infection vector executable and any subsequent executables that re-download to perform the other activities.  

If you don't have CylancePROTECT, contact us to learn how our AI based solution can proactively protect against unknown and emerging threats.