I may be a little late to the game on this posting, but this doesn’t mean I don’t have some inside information on the subject. But, for anyone whom might not have been aware, throughout the course of June 2019 “S1ege,” “Neckros” and “D4rkstat1c” of Ghost Squad Hackers (GSH) have become very active in unveiling a series of highly advanced tools to the world. Interestingly enough, world famous botnet builder “0x20k,” also of Ghost Squad Hackers, released a statement this morning reading “lets say (GSH) isn’t that active anymore, but soon will” – perhaps indicating that a large scale operation may be immanent or has already long since been underway, especially considering the release of the following tools.
Entitled “Ghost Delivery” and released to the public for the first time on June 5th, the tool is a Python script used to generate obfuscated .vbs script that delivers payload (payload dropper) with persistence and windows antivirus disabling functions. Moreover, in statements to Rogue Media Labs, S1ege explained:
“This tool creates a obfuscated .vbs script to download a payload hosted on a server to %TEMP% directory, execute payload and gain persistence by editing registry keys and creating a scheduled task to run payload at login. Features: Downloads payload to TEMP directory and executes payload to bypass windows smart screen. Disables Defender, UAC/user account control, Defender Notifications, injects/creates Command Prompt and Microsoft Edge shortcuts with payload path (%TEMP%/payload.exe), adds a scheduled task called “WindowsDefender” for payload to be run at login and obfuscates the vbs delivery script. This tool also has a serveo function to deliver obfuscated vbs script. Prerequisites Python 2.7“
— M1r0x (@M1r0x__) June 13, 2019
Unfortunately, D4rkstat1c is one of the members of Ghost Squad Hackers I’ve never worked with before – but learned of their recent releases via “M1r0x.” But, according to a press release posted online dated June 30th 2019, D4rkstat1c explains how their new tool “Red Ghost” is a “Linux post exploitation framework designed to assist red teams in persistence, reconnaissance, privilege escalation and leaving no trace.” Moreover, new privilege escalation techniques were just added/updated last night – July 1st 2019.
Source Code: https://github.com/d4rk007/RedGhost/blob/master/redghost.sh
Red Ghost README: https://github.com/d4rk007/RedGhost/blob/master/README.md
On top of this, D4rkstat1c also released the framework of another tool earlier in June called “Blue Ghost,” a self described “network tool designed to assist blue teams in banning attackers from Linux servers.” Going on to explain how “This tool utilizes various Linux network tools and bash scripting to assist blue teams on defending Debian and Ubuntu based servers from malicious attackers.”
Source Code: https://github.com/d4rk007/BlueGhost/blob/master/.blueghost
Blue Ghost README: https://github.com/d4rk007/BlueGhost/blob/master/README.md
— d4rkstat1c (@d4rkstat1c) June 30, 2019
— d4rkstat1c (@d4rkstat1c) June 20, 2019
Categories: Hacking News