GhostCat
GhostCat is a browser-based threat that exposes its victims to unsafe Web content. Such exposure can lead to drive-by-download attacks, phishing tactics and similar issues. Users should monitor their browser settings for risks, update any security and ad-monitoring software regularly, and have an anti-malware product remove GhostCat's payload from their device when it's appropriate.
Advertising that's not So Friendly
GhostCat, or GhostCat-3PC, is a threat that first became active in the fall of 2019, with a significant surge the month after its deployment. Its campaigns are highly-targeted, with an apparent preference for mobile users over desktop or laptop PCs, and attack specific publishers using various filtering metrics. Despite its oddities and points of note, GhostCat functions little differently from the average Trojan downloader and serves as a means of delivering other threats onto the target system.
GhostCat uses malvertising for serving itself up to the intended audiences, which it double-checks with browser fingerprinting techniques. GhostCat does this both for limiting its targets and for avoiding analysis or sandbox environments. GhostCat also checks on whether the system is a mobile device, what browser it's running and estimates the resident nation. The victim must click on the final pop-up, but doing so opens up the door to infecting the phone.
Malware experts also find it concerning that GhostCat includes significant ad-blocking-tracking features, which could help the threat actor evolve their defenses. The latest GhostCat attacks, as well, have impressive rates of overcoming typical ad-blocking solutions. This second feat might be due to GhostCat's avoiding creating static signatures by using a URL-splitting strategy: dividing the relevant Web address into two or more parts. Encoding also plays a role in obscuring its payload.
Shooing Off Ghostly Felines
GhostCat's moniker indicates an autumn schedule, and action by The Media Trust is combatting its current efforts at compromising any further publishers successfully. However, it's unlikely that threat actors displaying the degree of diligence shown in GhostCat's campaigns will stop operating after encountering a speed bump. JavaScript components related to GhostCat also imply a possible Chinese connection, which could go up to state-sponsored attacks theoretically.
Users can update their ad protection solutions and anti-malware products for improving the accuracy of flagging threats like GhostCat. Disabling JavaScript, Java, and Flash in all browsers by default also is heavily recommended by malware researchers for blocking most drive-by-downloads preemptively. Lastly, since the attack requires clicking the pop-up window, all users can learn the appropriate shortcuts and workarounds for closing unwanted windows without interacting with them – and their potentially unsafe content.
Due to the scale, sophistication, and narrow targeting of its campaigns, GhostCat's payloads are likely to include high-level threats, such as backdoor Trojans, RATs and advanced spyware. Let your anti-malware solutions remove GhostCat's payload or, more ideally, block the download attempt. For now, GhostCat's claws are short, courtesy of The Media Trust's security operations team. The techniques this predator puts into play, however, will survive to see future usage – whether or not GhostCat does, too.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.