Detect Gh0stCringe RAT
Table of contents:
Gh0stCringe Malware: Variant of Notorious Gh0st RAT
The Gh0stCringe, or CirenegRAT malware, based on the code of Gh0st RAT, is back, jeopardizing poorly protected Microsoft SQL and MySQL database servers. This remote access trojan (RAT) was first spotted in December 2018, and resurfaced in 2020 in China-linked cyber espionage attacks against governmental and corporate networks in the U.S. The novel malware is used against database servers with weak admin passwords.
Gh0stCringe Malware Detection
For an efficient Gh0stCringe RAT detection, use the Sigma rule below developed by the talented member of SOC Prime Threat Bounty Program Sittikorn Sangrattanapitak, to timely track any suspicious reconnaissance activity in your system:
Gh0stCringe RAT Spawning Suspicious Process on Vulnerable Database Servers
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) as the primary technique.
To detect other possible system compromises, see the full list of rules available in the Threat Detection Marketplace repository of the SOC Prime platform. Adepts at cybersecurity are more than welcome to join the Threat Bounty program to share curated Sigma rules with the community and get recurrent rewards.
View Detections Join Threat Bounty
Gh0stCringe RAT’s Analysis
AhnLab’s ASEC researchers revealed RAT malware targeting MS-SQL, MySQL servers with easy-to-compromise account credentials, or unpatched vulnerabilities. The malware dubbed Gh0stCringe, also known as cineregRAT, is a variant of Gh0st RAT, with its source code publicly released.
Threat actors are reported to deploy the Gh0stCringe RAT that smoothly connects to the C2 server to accept custom commands or exfiltrate stolen data. In the most recent campaign, adversaries compromise database servers, using the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes to write the malicious ‘mcsql.exe’ executable to disk on breached systems.
Upon its deployment, Gh0stCringe is utilized to access required websites via the Internet Explorer web browser, download payloads like crypto miners from C2 servers, steal Windows system and security product data, and kill the system’s Master Boot Record (MBR).
Gh0stCringe RAT deployment delivers a keylogger that hijacks user inputs from the infected system.
To protect your organization from this or any upcoming cyber threat, register on the SOC Prime’s Detection as Code platform. Detect the latest threats within your security environment, improve log source and MITRE ATT&CK coverage, and defend against attacks easier, faster, and more efficiently.
