Dangerous GhostAdmin Malware Identified

Security experts from The Malware Hunter Team discovered a new malware dubbed GhostAdmin which is used to recruit the victims into a dangerous botnet and steal sensitive data.

The GhostAdmin Malware Is Very Powerful

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Dangerous viruses continue to be developed by hackers worldwide. The newest addition to their arsenal is the GhostAdmin malware which was discovered by the famous Malware Hunter team. It targets both individual users and companies and aims to both harvest sensitive information from the victims and recruit them to a worldwide botnet network. From there on the infected host can be used for various malicious purposes:

  • Direct DDOS Attacks – The botnet networks aggregate their combined network bandwidth and initiate distributed denial of service (DDOS) attacks which can take down servers and whole networks leading to sabotage.
  • Data Theft – According to the security researchers this is one of the main tasks of the virus. The malware is able to extract a lot of sensitive contents from the compromised machines.
  • Payload Delivery – The malware can be used to download additional threats to the infected computers.
  • Remote Control – GhostAdmin Malware allows the criminals to

The Malware Hunter Team noted that Ghost Admin seems to be an updated version of another botnet known as CrimeScene which was active 3-4 years ago. The current version of the malware is written in the C# programming language and its version index is 2.0.

The developer of the malware is known under the alias of Jarad. This is the name stated in the compiler’s name. The creator has tested the virus on a machine that he owned and the researchers managed to grab a screenshot of their desktop.

On the machine they found data from compromised victims which included an Internet cafe and a lottery company. Judging from the size of the archives it appears that the extracted data from the cafe alone is massive in size, totaling 368 Gigabytes. The harvested information from the lottery company contains data sets that include names, dates of births, emails, phone numbers, addresses, employer information and etc.

The virus is distributed as a binary executable file which is routed to the victims via spam email messages and malicious download sites. So far only a small number of anti-virus vendors have added its signature to their updated definition lists. According to the available research and the rich feature set we anticipate to see a lot of victims in the near future. This is especially true if the GhostAdmin Malware manages to recruit more hosts into its botnet.

Upon infection the GhostAdmin malware sets up a remote control Trojan module that accepts commands from a remote malicious IRC channel. In accordance with them the remote attackers can issue various commands. The full list includes the following options:

  • @commands – list all available client commands
  • @logfile – upload logfile
  • @read file <filePath> – read a text file
  • @download <url> <destination> – download a remote file from a url
  • @turn off monitor – put monitor in sleep mode
  • @turn on monitor – wakes the monitor from sleep mode
  • @visit <url> – browses a specified url
  • @download <url> <destination> – download a remote file from a url
  • @delete* <ext> <source_directory> – deletes all files in folder by extension
  • @delete file <filepath> – deletes a single file
  • @delete dir <source_directory> – delete a directory
  • @get files <ext> <source_dir> – uploads all files in the specified folder by extension
  • @get ip – gets the victim’s IP address
  • @upload file – uploads a single file
  • @screenshot – takes a screenshot of the infected host
  • @run <file_path> – opens a file or a directory
  • @version – returns the current client version
  • @platform – shows the Windows platform version
  • @checkfile <file_path> – checks if a file exists
  • @checkfolder <file_path> – checks if a folder exists
  • @taskkill <process-name> – kills running process
  • @drives – lists all drives
  • @tasklist – shows all running processes
  • @ipconfig – initiates the ipconfig commands which shows the network host’s IP address
  • @kill – kills the botnet process until reboot
  • @copy <source_file> <destination> – copies a given file
  • @mkdir <dir> – creates a new directory
  • @connect – initiates a new network connection to the remote server
  • @enable remote desktop – enables the remote desktop connection to the internal network
  • @os – retrieves the version of the Windows operating system
  • @shutdown windows – shuts down the computer
  • @restart windows – restarts the computer
  • @audio <sec> – records audio for the specified duration
  • @users – gets the list of currently logged in users
  • @enable input devices – enables the mouse and keyboard
  • @disable input devices – disables the mouse and keyboard
  • @message <text> – displays text to the computer user
  • @delete logs – deletes all logfiles
  • @delete browser data – Deletes all browser data
  • @sql connect SERVER=MyServer; USER\MyUser; PASS=myPass; DATABASE=myDB – SQL commands to enter into a specified database
  • @sql select – use normal SQL select syntax after ‘select’
  • @sql update – user normal SQL update syntax after ‘update’
  • @sql insert into – user normal SQL insert syntax after ‘insert into’
  • @sql update – use normal SQL select syntax after ‘update’
  • @update – downloads updated version of the client.
  • @idletime – shows the time since the last user interaction

We remind our readers that they can protect themselves from malware such as this one by using a trusted anti-spyware utility. Such professional security solutions safeguards from all types of computer threats and can remove existing infections using a one-click and easy to use interface.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *