PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps

January 4, 2025

SecurityCybersecurityMalwareGoogleVPNBackdoorPhishing

Cybersecurity researchers have flagged a new malware called PLAYFULGHOST that comes with a wide range of information-gathering features like keylogging, screen capture, audio capture, remote shell, and file transfer/execution.

The backdoor, according to Google's Managed Defense team, shares functional overlaps with a known remote administration tool referred to as Gh0st RAT, which had its source code publicly leaked in 2008.

PLAYFULGHOST's initial access pathways include the use of phishing emails bearing code of conduct-related lures or search engine optimization (SEO) poisoning techniques to distribute trojanized versions of legitimate VPN apps like LetsVPN.

"In one phishing case, the infection begins by tricking the victim into opening a malicious RAR archive disguised as an image file by using a .jpg extension," the company said. "When extracted and executed by the victim, the archive drops a malicious Windows executable, which eventually downloads and executes PLAYFULGHOST from a remote server."

Attack chains employing SEO poisoning, on the other hand, seek to deceive unsuspecting users into downloading a malware-laced installer for LetsVPN, which, when launched, drops an interim payload responsible for retrieving the backdoor components.

The infection is notable for leveraging methods such as DLL search order hijacking and side-loading to launch a malicious DLL that's then used to decrypt and load PLAYFULGHOST into memory.

Mandiant said it also observed a "more sophisticated execution scenario" wherein a Windows shortcut ("QQLaunch.lnk") file, combines the contents of two other files named "h" and "t" to construct the rogue DLL and sideload it using a renamed version of "curl.exe."

PLAYFULGHOST is capable of setting up persistence on the host using four different methods: Run registry key, scheduled task, Windows Startup folder, and Windows service. It boasts an extensive set of features that allow it to gather extensive data, including keystrokes, screenshots, audio, QQ account information, installed security products, clipboard content, and system metadata.

It also comes with capabilities to drop more payloads, block mouse and keyboard input, clear Windows event logs, wipe clipboard data, perform file operations, delete caches and profiles associated with web browsers like Sogou, QQ, 360 Safety, Firefox, and Google Chrome, and erase profiles and local storage for messaging applications such as Skype, Telegram, and QQ.

Some of the other tools deployed via PLAYFULGHOST are Mimikatz and a rootkit that's capable of hiding registry, files, and processes specified by the threat actor. Also dropped along with the download of PLAYFULGHOST components is an open-source utility called Terminator that can kill security processes by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.

"On one occasion, Mandiant observed a PLAYFULGHOST payload being embedded within BOOSTWAVE," the tech giant said. "BOOSTWAVE is a shellcode that acts as in-memory dropper for an appended Portable Executable (PE) payload."

The targeting of applications like Sogou, QQ, and 360 Safety and the use of LetsVPN lures raise the possibility that these infections are targeting Chinese-speaking Windows users. In July 2024, Canadian cybersecurity vendor eSentire revealed a similar campaign that leveraged fake installers for Google Chrome to propagate Gh0st RAT using a dropper dubbed Gh0stGambit.