GhostAdmin

GhostAdmin is an updated version of CrimeScene, a family of backdoor Trojans that incorporate infected PCs into botnets so that con artists can collect information from them. Although GhostAdmin's 'robot network' still is new, the Trojan includes a diverse range of attack features for exfiltrating data or giving remote attackers control over a PC. Since this Trojan shows no symptoms to the PC user, you should use appropriate security software to identify and eliminate GhostAdmin without trying to find its files or system changes yourself.

A New Ghost Banking on Small Businesses

Tried-and-true families of threatening software often resurrect themselves for threat authors needing to reuse their code. Although the CrimeScene botnet has been out of cyber security headlines for some time, new threat actors are reapplying the backdoor Trojan's principles in their updated version, GhostAdmin. Verifiable victims of this Trojan number at under a dozen, and include such entities as lottery companies and an Internet cafe.

While many botnets leverage their capabilities towards fake advertising traffic or spam, GhostAdmin's payload emphasizes collecting data from the systems it compromises. These attacks run by the threat actor issuing text commands in an IRC channel, while the Trojan uploads the collected information to an FTP server. Some of the features that malware analysts find worthy of emphasizing include:

• GhostAdmin may function as a keylogger that records your keyboard input into a log file.
• GhostAdmin may download and run additional files, potentially letting a threat actor install other threats.
• GhostAdmin may delete files or folders arbitrarily.
• GhostAdmin may take screenshots to gather visual data not susceptible to capture by other means.
• GhostAdmin may record audio data for a specified number of seconds.
• GhostAdmin may enable or disable the mouse or keyboard at will.

This list is only a select handful of the over two dozen commands that the backdoor Trojan supports.

A Haunting Your PC can Do Without

As spyware, GhostAdmin is a well-designed botnet that doesn't leave obvious clues of its installation and includes features for covering its tracks, such as self-termination or removing its log files. Malware experts also find current samples of GhostAdmin mislabeling their components to resemble the Windows files such as taskhost.exe. Under normal circumstances, PC users shouldn't expect to be able to detect GhostAdmin's attacks by eye.

For now, the GhostAdmin botnet is focusing on collecting information from business entities, with hundreds of gigabytes containing contact and identity data already verifiable as having been transferred into the con artists' hands. Methods of compromising such networks often exploit spam e-mails, although other methods, such as brute-forcing RDP passwords, aren't unknown. Update your anti-malware products before scanning suspicious files to detect or remove GhostAdmin, which is showing unusually high rates of evading current threat database standards.

If the business sector is lucky, GhostAdmin may stay a small, focused family that doesn't expand its operations much further than they already are. However, since many backdoor Trojan botnets climb to millions of compromised PCs, the safe bet, unfortunately, lies in the other direction.

Technical Details