Ghost Squad Hackers Begin Rolling Out Source Codes To New Tools Coded by Different Group Members

I may be a little late to the game on this posting, but this doesn’t mean I don’t have some inside information on the subject. But, for anyone whom might not have been aware, throughout the course of June 2019 “S1ege,” “Neckros” and “D4rkstat1c” of Ghost Squad Hackers (GSH) have become very active in unveiling a series of highly advanced tools to the world. Interestingly enough, world famous botnet builder “0x20k,” also of Ghost Squad Hackers, released a statement this morning reading “lets say (GSH) isn’t that active anymore, but soon will” – perhaps indicating that a large scale operation may be immanent or has already long since been underway, especially considering the release of the following tools.

S1ege

Entitled “Ghost Delivery” and released to the public for the first time on June 5th, the tool is a Python script used to generate obfuscated .vbs script that delivers payload (payload dropper) with persistence and windows antivirus disabling functions. Moreover, in statements to Rogue Media Labs, S1ege explained:

This tool creates a obfuscated .vbs script to download a payload hosted on a server to %TEMP% directory, execute payload and gain persistence by editing registry keys and creating a scheduled task to run payload at login. Features: Downloads payload to TEMP directory and executes payload to bypass windows smart screen. Disables Defender, UAC/user account control, Defender Notifications, injects/creates Command Prompt and Microsoft Edge shortcuts with payload path (%TEMP%/payload.exe), adds a scheduled task called “WindowsDefender” for payload to be run at login and obfuscates the vbs delivery script. This tool also has a serveo function to deliver obfuscated vbs script. Prerequisites Python 2.7

S1ege also goes on to specify that “Neckros and Necronomikon coded Javascript encoder.” Perhaps most importantly, S1ege also stated that the free version of this tool will not be available forever, so best get the source code while you still can. Consequentially enough, this might also explain why they would dump something like this out in the open, perhaps baiting buyers to pay for the more advanced version they’ve kept to themselves.

Source Code: https://github.com/s1egesystems/GhostDelivery/blob/master/GhostDelivery.py
File README: https://github.com/s1egesystems/GhostDelivery/blob/master/README.md

D4rkstat1c

Unfortunately, D4rkstat1c is one of the members of Ghost Squad Hackers I’ve never worked with before – but learned of their recent releases via “M1r0x.” But, according to a press release posted online dated June 30th 2019, D4rkstat1c explains how their new tool “Red Ghost” is a “Linux post exploitation framework designed to assist red teams in persistence, reconnaissance, privilege escalation and leaving no trace.” Moreover, new privilege escalation techniques were just added/updated last night – July 1st 2019.

Source Code: https://github.com/d4rk007/RedGhost/blob/master/redghost.sh
Red Ghost README: https://github.com/d4rk007/RedGhost/blob/master/README.md

On top of this, D4rkstat1c also released the framework of another tool earlier in June called “Blue Ghost,” a self described “network tool designed to assist blue teams in banning attackers from Linux servers.” Going on to explain how “This tool utilizes various Linux network tools and bash scripting to assist blue teams on defending Debian and Ubuntu based servers from malicious attackers.

Installation: https://github.com/d4rk007/BlueGhost/blob/master/install.sh
Source Code: https://github.com/d4rk007/BlueGhost/blob/master/.blueghost
Blue Ghost README: https://github.com/d4rk007/BlueGhost/blob/master/README.md



Categories: Hacking News

Tags: , , , , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published.

Do NOT follow this link or you will be banned from the site!
%d bloggers like this: