New trends have emerged in the world of cybercrime. Criminals are no longer distributing one type of malware, but rather actively look for more potent combinations. One way to do so is to bundle multiple types of malware into one email attachment. Another option is doing what GhostCtrl does, and build a tool which serves as both a RAT and ransomware.
GhostCtrl Is a Nasty Piece of Work
Remote Access Trojans, or RATs, are nothing new. This particular type of malware has been around for nearly a decade and gives criminals backdoor access to infected devices. These attack computers and entire company networks to steal information, install additional malicious software, and perform other nefarious purposes. Moreover, this threat is slowly emerging on the Android mobile operating system as well.
A new Android RAT has been discovered named GhostCtrl. When dealing with remote access, Trojans are annoying enough, but GhostCtrl has another trick up its sleeve. Not only does it lock mobile devices by resetting PIN codes and stealing information, but it doubles as mobile ransomware. Victims see a ransom note on their device once it has been infected by the RAT.
Luckily, it appears GhostCtrl is not actively distributed as ransomware right now. The number of infections to date have all entailed this malware stealing data from infected devices, including text messages, contacts, etc. Researchers have obtained at least one working sample of the malware, and its source code hints at future ransomware capabilities. That is a rather worrisome prospect, as mobile ransomware has not represented a particularly large market to this point.
What makes the remote access Trojan component so troublesome is that it is based on another existing piece of malware. OmniRAT can attack devices running one of four major operating systems. This particular RAT can target Android, MacOS, Linux, and Windows devices alike, making it one of the most credible cyber threats to date. It appears GhostCtrl is based on OmniRAT and created by developers who access this tool through a well-known malware-as-a-service darknet portal.
Although GhostCtrl has not been used as a ransomware component just yet, its Android malware component packs a lot of powerful features. For instance, it can root infected devices, control vibrate functions, delete and rename files, send SMS and MMS messages, and intercept communications. All of this is done on top of its data collection capabilities which target call logs, SMS records, phone numbers, usernames, passwords, and camera data.
GhostCtrl is one of the first iterations of dual-approach malware contained in one package. Although this RAT targets Android systems first and foremost, the underlying code shows it can easily be ported to other operating systems as well. These combined malware packages will ultimately lead to more cyber threats, ransomware infections, and IoT-based DDoS attacks.