ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Gh0stnet

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Gh0stnet

NamesGh0stnet
Ghostnet
Remosh
CategoryMalware
TypeBackdoor, Info stealer, Exfiltration
Description(UCAM) Our next observation concerns the malware payloads used. These were packaged as either .doc or .pdf files that installed rootkits on the machines of monks who clicked on them. During our initial network monitoring exercise, we observed sensitive files being transferred out of the Office of His Holiness the Dalai Lama (OHHDL) using a modified HTTP protocol: the malware picked up files from local disks and sent them to three servers which, according to APNIC, were in China’s Sichuan province, using a custom protocol based on HTTP. The malware uses HTTP GET and HTTP POST messages to transfer files out and also appears to verify successful transmission. Sichuan, by the way, is the location of the Chinese intelligence unit specifically tasked with monitoring the OHHDL.
Information<https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf>
<https://securitynews.sonicwall.com/xmlpost/gh0stnet-now-spreads-as-a-fileless-malware-nov-022017/>
<https://www.nartv.org/2019/03/28/10-years-since-ghostnet/>
<http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

All groups using tool Gh0stnet

ChangedNameCountryObserved

APT groups

 GhostNet, Snooping DragonChina2009-2010X

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]