Last known affiliation: Intel 471
Bio: As the malware research team lead within the Intel 471 Malware Intelligence team, Jorge dissects malware internals and communication protocols to automate malware tracking. This approach allows us to receive in real-time full malware configurations, plugins, additional payloads and other commands issued, enabling real-time detection and tracking capabilities.
Jorge Rodriguez 🗣 | Souhail Hammou 🗣
Abstract (click to view)
The Gh0st Remote Access Trojan is a long-standing threat dating back to 2001 that is still active to this day. Following its release to the public in 2008 as version 3.6 Beta, it garnered the attention of Chinese-speaking threat actors in particular who began forking and upgrading the toolset to suit their needs. Various APT (Advanced Persistent Threat) groups targeting Asian countries incorporated modified versions of Gh0st RAT into their own arsenal: GhostNet as the earliest documented instance and GamblingPuppet as one of the most recent ones.
Our deep dive into the subject started when we traced back the origins of a malware family named PseudoManuscrypt directly to Gh0st RAT. Kaspersky first spotted it in July 2021 as being distributed through a network of websites that offer fake cracked software to unsuspecting victims. We also observed it being directly delivered through the PrivateLoader Pay-per-Install (PPI) service.