PLAYFULGHOST: The Spread of A Not So Friendly Ghost

Disclosed by Google security researcher Tatsuhiko, PLAYFULGHOST is a new family of malware that has become endemic to the Chinese browser and superapp QQ. The malware allows the attackers to remotely control the infected device using an open source toolkit called Gh0st Remote Access Terminal (Gh0st RAT). Once executed, attackers can run commands to monitor the user’s screen and audio, steal clipboard data, download and execute further files and even disable existing security setups.

This article will cover the initial access and persistence techniques used in this attack. We will also dive into the tactics adversaries are deploying to help PLAYFULGHOST evade XDR detection, and why it’s critical to “Shift Up” and stop these attacks before they even enter the endpoint.

Initial Access

While PLAYFULGHOST has been distributed in many ways, the two most common ways the malware has gained initial access involve disguised file types and SEO poisoning.

Archive Files Disguised as Images

In this first method, the user receives a phishing message containing a RAR archive file renamed with a .jpg extension. Given that QQ is a complex app that doubles as a web browser and messaging platform commonly used for commerce, it is not uncommon for users to receive images from new brand accounts or QQ itself. Once the user downloads the archive file, a malicious Windows executable downloads and executes PLAYFULGHOST.

SEO Poisoning for VPN Searches

Due to the Great Firewall, China is the largest user of VPN globally. Adversaries leverage this by pushing fake VPN installers that are really Windows executables that eventually lead to the download of PLAYFULGHOST from the attacker’s server. These files are typically encrypted on the attacker’s server, preventing any proxy-based solutions from conducting pre-download inspections. This distribution method is extremely effective as there are several major VPN brands trusted by tens of millions of Chinese citizens that can easily be impersonated by attackers.

Persistence

Once downloaded, PLAYFULGHOST can remain latent within the victim’s system for a long time using several techniques such as:

Run Registry Key and Startup Folder

PLAYFULGHOST utilizes the Run registry key and the Startup folder to achieve persistence by automatically executing malicious code each time a user logs in or the system starts. In the Windows registry, entries in [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run can be used to define programs that will launch on startup. Malware can add its executable to one of these keys, ensuring it is consistently executed without user intervention, enabling it to survive system reboots. Similarly, placing a shortcut or executable file in the Startup folder automatically executes them whenever the user logs on to the system.

Scheduled Task

This tactic leverages the Windows Task Scheduler to automate the execution of malicious programs at specified times or events. By creating a new scheduled task or modifying an existing one, malware can configure itself to execute during specific triggers, such as system startup, user login, or at regular intervals. Since scheduled tasks are managed by the operating system, they blend into legitimate system activity, making detection more difficult.

Windows Service

By creating or modifying a Windows Service, PLAYFULGHOST can achieve persistence by running as a background process managed by the Service Control Manager (SCM). Services can be configured to start automatically during system boot, giving malware a reliable way to execute each time the system is restarted. Running as a service also allows malware to operate with higher privileges and remain hidden, as services typically do not display user interfaces and are commonly associated with legitimate system functions.

Additionally, PLAYFULGHOST is often downloaded together with companion malware called TERMINATOR, which can terminate EDR, XDR and AV processes. This allows the malware to continue executing malicious acts without being detected by any endpoint security solutions.

Impact

PLAYFULGHOST is a powerful malware that can run a wide variety of functions remotely. A full list can be found on Tatsuhiko’s documentation, however some of the key threats to organizations include:

1. Data exfiltration & manipulation

PLAYFULGHOST can track and steal all sensitive data employees are interacting with its ability to do keylogging, capture audio/screen data and monitor all clipboards and files. In addition to reading sensitive data, PLAYFULGHOST also has the ability to modify, move or delete files, allowing attackers to spread misinformation or hold business-critical information as ransom.

2. Distribute Further Malware

Once executed, PLAYFULGHOST has the ability to remotely download and execute additional malicious payloads. Aside from the TERMINATOR companion malware mentioned above, another common tool downloaded by PLAYFULGHOST is called QAssist.sys. This tool allows the attacker to obfuscate details on processes run by the malware, such that it becomes extremely challenging for security teams to assess the damage control required even if PLAYFULGHOST is eventually detected in the system.

3. Disabling Security Measures

One of PLAYFULGHOST’s superpower is that it can elevate the victim’s profile to a privileged administrator status, and then use this to disable various security measures, clear application and system event logs and even wipe out security logs that could be used to retroactively track the malware’s actions.

4. Disrupt Business Activities

Manipulating and deleting files is a major way to disrupt a company’s day-to-day operations, but PLAYFULGHOST does not stop there. In some cases, the malware has been used to disrupt the user’s mouse/keyboard functionalities, make bleeping noises, hide taskbars and alter the device’s screen resolution.

Defense

By now, you probably get an idea on why PLAYFULGHOST is an especially dangerous malware. To summarize, the malware:

1. Leverages smart initial access techniques deeply embedded in millions of users’ day-to-day activities (e.g. VPN searches, image downloads).
2. Is extremely persistent and has the ability to disable existing security solutions, including EDRs and AVs, leaving the victim’s device completely vulnerable.
3. Can remotely run powerful functions to steal data, distribute & run further malware and disrupt business critical activities.

“Shift Up”: Defending Against PLAYFULGHOST when EDRs Fail

The critical point about this malware is that once it is downloaded and executed, endpoint defences become obsolete. Thus, the best time to prevent PLAYFULGHOST is before it even gets downloaded. The concept of “Shift Up” focuses on catching and stopping attacks upstream and at source. This is particularly important for application layer attacks like PLAYFULGHOST that are largely distributed through browsers.

In order to stop application layer attacks at source, it is imperative to have a browser native solution that has full context on each application and how users are interacting with it. For example, as illustrated in the video, the two initial access methods used by PLAYFULGHOST can be stopped with the following policies:

Additional Benefits of a BDR

Client-side File Scanner

As illustrated in the video, SquareX’s Browser Detection and Response (BDR) solution can support both policies. This is enabled by SquareX’s client-side file scanner, a critical differentiator that allows all files to be inspected directly in the user’s browser without sending any files to our servers. Given its complexity, the files associated with the PLAYFULGHOST attack are likely too large to be inspected by SASE solutions. In addition to the privacy benefits, a client-side file scanner also significantly increases the spectrum of file types and sizes that can be inspected relative to traditional SASE solutions, as detailed in the technical comparison chart below.

Additionally, one of the key features of PLAYFULGHOST is that it involves encrypted files that typically prevents any file inspection at the proxy level. SquareX’s BDR is able to inspect any encrypted files, including those encrypted on the attacker’s server, by forcing users to enter the relevant password every time they trigger an encrypted file download.

Threat Hunting

Users conduct hundreds of activities on QQ a day. With an EDR, it is impossible to attribute detected malware to the exact account or message that prompted users to download the malicious file, nor can it provide an understanding of who else within the organization was targeted with the same phishing campaign. Given that SquareX sits at the application layer, the BDR can not only identify the exact interaction that led to the malware download, but also automatically conduct attack correlations across the organization.

As an added bonus, the Attack Vision feature reconstructs the exact user view leading up to the attack, providing security and in-depth understanding of how initial access was obtained in order to prevent similar attacks in the future.

Introducing the BDR

SquareX’s Browser Detection and Response (BDR) solution goes beyond just protecting against malicious files. SquareX’s industry-first BDR solution detects, mitigates and threat-hunt client-side web attacks targeting employees in real time. The solution comes in the form of a lightweight browser extension that can be deployed to existing browsers via a simple group policy.

We believe that there are three key components required when it comes to securing the browser:

• Web Threat Detection & Mitigation including identity attacks, malicious sites & scripts, malicious browser extensions and malicious files
• Browser DLP including genAI DLP, clipboard DLP, file DLP and insider attacks
• Private App Access to provide secure access to web applications and private apps via the browser, including for BYOD/unmanaged devices

To learn more, visit us at sqrx.com or email us at [email protected].

PLAYFULGHOST: The Spread of A Not So Friendly Ghost was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from SquareX Labs - Medium authored by SquareX. Read the original post at: https://labs.sqrx.com/playfulghost-the-spread-of-a-not-so-friendly-ghost-0039d1565ef7?source=rss----f5a55541436d---4