LinkedIn
TwitterAbout the Finding Malware Series
The "Finding Malware" blog series from Managed Defense is designed to empower the Google Security Operations community to detect emerging and persistent malware threats. This post dives into the PLAYFULGHOST malware family and the detection opportunities available within the Google Security Operations (SecOps) platform. You can read the other installments to the series here. Happy hunting!
About PLAYFULGHOST
PLAYFULGHOST is a backdoor that shares functionality with Gh0st RAT, a remote administration tool whose source code was made public in 2008. This public release led to the development of other numerous variants. PLAYFULGHOST distinguishes itself through its use of distinct traffic patterns and encryption. It supports commands such as keylogging, screen capture, audio capture, remote shell, and file transfer/execution.
The following are some of the known distribution methods for PLAYFULGHOST:
- Phishing attacks: This involves using phishing emails with themes such as “code of conduct” to trick users into downloading the malware.
- SEO poisoning: The malware is bundled with popular applications, like LetsVPN, and distributed through SEO poisoning. This involves manipulating search engine results to make the bundled software appear at the top of searches, making it seem like a legitimate download.
Delivery Method 1: Phishing
In one phishing case, the infection begins by tricking the victim into opening a malicious RAR archive disguised as an image file by using a .jpg extension. When extracted and executed by the victim, the archive drops a malicious Windows executable, which eventually downloads and executes PLAYFULGHOST from a remote server.
Delivery Method 2: SEO Poisoning
SEO poisoning infections begin by tricking the victim to download a malicious Windows executable masquerading as an installer for legitimate software such as LetsVPN.
Upon execution, the trojanized installer drops an additional malicious Windows executable designed to download PLAYFULGHOST components from a remote server.
Execution
As shown in Figure 4, the malicious process serves as a downloader to retrieve PLAYFULGHOST and its components from a remote server. PLAYFULGHOST’s execution may be thought of as a three-part system:
- A legitimate executable that is vulnerable to DLL search order hijacking;
- A malicious launcher DLL file in the same folder as the legitimate executable; and
- A file containing PLAYFULGHOST payload.
Upon execution, the legitimate executable loads a malicious launcher DLL. The launcher DLL then decrypts and loads PLAYFULGHOST into memory.
Malware in Action
Table 1 details the core malware components and associated file names used in two PLAYFULGHOST malware execution scenarios observed by Mandiant.
| Legitimate Executable | Malicious DLL | PLAYFULGHOST payload | |
| Scenario 1 | svchost.exe (renamed binary from Tencent) | QiDianBrowserMgr.dll | 3.TXT |
| Scenario 2 | TIM.exe (renamed curl.exe) | libcurl.dll | Debug.log |
Table 1: Core PLAYFULGHOST components leveraged in three different execution scenarios
Scenario 1
Mandiant observed a straightforward operation where the threat actor renames a copy of a legitimate signed executable from Tencent to "svchost.exe" and uses it to load a malicious launcher DLL called "QiDianBrowserMgr.dll". This launcher DLL then decrypts and loads PLAYFULGHOST into memory from a file named "3.TXT."
Scenario 2
Mandiant observed a second, more sophisticated execution scenario which begins with a Windows LNK file named “QQLaunch.lnk”. This LNK file combines a text file named “h” which contains the characters "MZ" and a second file “t” which contains the rest of PE payload to construct a new malicious DLL named “libcurl.dll”.
Then, the LNK file launches “QQLaunch.exe”, a legitimate binary from Tencent QQ, which launches another legitimate binary “TIM.exe” which is a renamed version of the program CURL. TIM.exe then loads a malicious launcher DLL “libcurl.dll” which will decrypt and load the PLAYFULGHOST payload from an encrypted file named “Debug.log”.
Other Malwares and Utilities
Mandiant observed the following additional malwares and utilities accompanied with PLAYFULGHOST.
| Malware / Utility | Description | Use Case |
| BOOSTWAVE | BOOSTWAVE is a shellcode that acts as in-memory dropper for an appended Portable Executable (PE) payload. | On one occasion, Mandiant observed a PLAYFULGHOST payload being embedded within BOOSTWAVE. |
| TERMINATOR | TERMINATOR is an open-source tool written in C++ that reproduces Spyboy technique to terminate all EDR/XDR/AVs processes by abusing the zam64.sys driver. | Mandiant observed the utility being deployed under the name 1.sys along with the download of PLAYFULGHOST components. |
| QAssist.sys | QAssist.sys is a rootkit embedded within PLAYFULGHOST capable of hiding registry, files, and processes specified by the threat actor. | While not observed being used, Mandiant assesses that the rootkit is intended to hide malicious activities on the system. |
| CHROMEUSERINFO.dll | CHROMEUSERINFO.dll is a DLL used by PLAYFULGHOST to retrieve Google Chrome user data including stored login credentials. | Mandiant observed an archive file containing CHROMEUSERINFO.dll along with other PLAYFULGHOST components. |
Table 2: Malwares and utilities accompanied with PLAYFULGHOST
Persistence
PLAYFULGHOST maintains persistence using one or more of the following methods:
- Run registry key
- Scheduled task
- Startup folder
- Windows Service
Supported Functions
PLAYFULGHOST enables an attacker to remotely control the infected system. The range of capabilities at the attacker's disposal includes keylogging, screenshot capture, audio capture, remote shell, and file transfer/execution, as described in Table 3.
| Supported Functions | |
| Data mining |
|
| File management |
|
| Data deletion |
|
| Remote execution |
|
| Privilege escalation |
|
| Download / drop additional Payload |
|
| Anti Forensic |
|
| Nuisance activity |
|
Table 3: Functions supported by PLAYFULGHOST
Threat Hunting & Detection in Google SecOps
Hunting Opportunities
Mandiant Hunt surfaces otherwise undetected malicious activity by employing a detection strategy that uses both strong signals (high enough fidelity to be reviewed 1:1) and weak signals (low fidelity on their own but provide broad coverage of threat actor tactics) to enumerate attacker activity in customer environments. These signals are used to sequentially funnel petabytes of telemetry data to a practicable number of enriched and highly curated cases for analyst review. Mandiant uses security frameworks like MITRE ATT&CK® to help label data, find interesting sequences of activity, and share actionable results with customers.
Google SecOps customers can use the following information to hunt for PLAYFULGHOST as well as other malicious activity using similar tactics:
- Binary in Public folder creating registry Run key - PLAYFULGHOST compromises have been observed achieving persistence through multiple means, including Windows Registry Run keys. These events map to MITRE ATT&CK Technique T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.
Use the UDM query below in Google Security Operations to identify such registry key events, performed by binaries located in the Public folder. The detection logic can be modified to include other suspicious locations typically leveraged by threat actors where untrusted binaries could reside, like AppData\Roaming, AppData\Local, or AppData\Locallow. The detection logic can also apply to the registry value data to narrow results, as shown below.
(
metadata.event_type = "REGISTRY_CREATION" OR
metadata.event_type = "REGISTRY_MODIFICATION"
) AND
(
principal.process.file.full_path = /\\Users\\Public/ nocase AND
target.registry.registry_key = /CurrentVersion\\Run/ nocase AND
target.registry.registry_value_data = /\\Users\\Public/ nocase
)
- Binary in Public folder creating scheduled task - PLAYFULGHOST compromises have also been observed achieving persistence via Windows Scheduled Tasks. These events map to MITRE ATT&CK Technique T1053.005 - Scheduled Task/Job: Scheduled Task.
Use the UDM query below in Google Security Operations to identify such scheduled task creation. Similarly to that described for registry Run keys, the detection logic below can be modified to hunt for uncommon scheduled task creation by binaries in other locations.
(
metadata.event_type = "SCHEDULED_TASK_CREATION" OR
metadata.event_type = "SCHEDULED_TASK_MODIFICATION"
) AND
(
principal.process.file.full_path = /\\Users\\Public/ nocase
)
- Microsoft Windows Installer installing MSI file in suspicious location - In PLAYFULGHOST compromise chains observed by Mandiant, the Microsoft Windows Installer executable msiexec.exe was leveraged to install an MSI file located in the AppData\Roaming directory. These events map to MITRE ATT&CK Technique T1218.007 - System Binary Proxy Execution: Msiexec.
Use the UDM query below in Google Security Operations to identify such activity, and use the Pivot functionality of Google Security Operations to stack benign events.
metadata.event_type = "PROCESS_LAUNCH" AND
principal.process.file.full_path = /msiexec\.exe/ nocase AND
principal.process.command_line = /AppData\\Roaming/ nocase
Windows Installer execution in PLAYFULGHOST compromises has also involved setting Windows Installer properties like AI_SETUPEXEPATH and SETUPEXEDIR with suspicious paths, in one case pointing to a binary in the Downloads directory. As this was performed in the Windows Installer command line arguments, use a similar UDM query in Google Security Operations to identify this activity in your environment.
metadata.event_type = "PROCESS_LAUNCH" AND
principal.process.file.full_path = /msiexec\.exe/ nocase AND
principal.process.command_line = /Downloads/ nocase
- Binary in Public folder generating HTTP requests - Downloaders can leverage HTTP requests to retrieve malicious files, as observed in PLAYFULGHOST compromises. These events map to MITRE ATT&CK Technique T1105 - Ingress Tool Transfer.
Use the UDM query below in Google Security Operations to identify HTTP requests performed by binaries in the Public directory. The inclusion of the HTTP methods in the detection logic is likely unnecessary, but demonstrates how the UDM query can be tailored to or exclude specific events in your environment.
metadata.event_type = "NETWORK_HTTP" AND
principal.process.file.full_path = /\\Users\\Public/ nocase AND
(
metadata.product_event_type = "GET" OR
metadata.product_event_type = "POST" OR
network.http.method = "GET" OR
network.http.method = "POST"
)
Detections
Users can create custom single or multi-event rules within Google Security Operations to detect PLAYFULGHOST activity.
- This rule detects activity involving Plugin32.dll located at a temporary directory.
rule PLAYFULGHOST_PLUGIN32DLL {
meta:
author = "Mandiant"
description = "This rule matches on activity involving Plugin32.dll located at temporary directory."
mitre_attack_tactic = "Process Injection"
mitre_attack_technique = "Dynamic-link Library Injection"
mitre_attack_url = "https://attack.mitre.org/techniques/T1055/001/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION" or
$e.metadata.event_type = "PROCESS_MODULE_LOAD" or
$e.metadata.event_type = "PROCESS_LAUNCH"
) and
(
re.regex($e.target.file.full_path, `\\temp\\Plugin32\.dll$`) nocase or
re.regex($e.principal.file.full_path, `\\temp\\Plugin32\.dll$`) nocase or
re.regex($e.target.process.file.full_path, `\\temp\\Plugin32\.dll$`) nocase or
re.regex($e.principal.process.file.full_path, `\\temp\\Plugin32\.dll$`) nocase
)
condition:
$e
}
- This rule detects activity involving GetMP.exe, which is a renamed copy of Mimikatz downloaded by PLAYFULGHOST.
rule PLAYFULGHOST_MIMIKATZ {
meta:
author = "Mandiant"
description = "This rule matches on activity involving GetMP.exe which is a renamed copy of Mimikatz downloaded by PLAYFULGHOST."
mitre_attack_tactic = "OS Credential Dumping"
mitre_attack_technique = "LSASS Memory"
mitre_attack_url = "https://attack.mitre.org/techniques/T1003/001/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION" or
$e.metadata.event_type = "PROCESS_LAUNCH"
) and
(
re.regex($e.target.file.full_path, `\\GetMP\.exe$`) nocase or
re.regex($e.principal.file.full_path, `\\GetMP\.exe$`) nocase or
re.regex($e.target.process.file.full_path, `\\GetMP\.exe$`) nocase or
re.regex($e.principal.process.file.full_path, `\\GetMP\.exe$`) nocase or
re.regex($e.target.process.command_line, `GetMP\sprivilege::debug\ssekurlsa::logonpasswords\sexit`) nocase or
re.regex($e.principal.process.command_line, `GetMP\sprivilege::debug\ssekurlsa::logonpasswords\sexit`) nocase
)
condition:
$e
}
- This rule detects creation of files related to PLAYFULGHOST.
rule PLAYFULGHOST_FILES {
meta:
author = "Mandiant"
description = "This rule matches on creation of files related to PLAYFULGHOST."
mitre_attack_tactic = "Process Injection"
mitre_attack_technique = "Portable Executable Injection"
mitre_attack_url = "https://attack.mitre.org/techniques/T1055/002/"
mitre_attack_version = "v15.1"
severity = "Medium"
priority = "Medium"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION"
) and
(
re.regex($e.target.file.full_path, `\\ProgramData\\[a-z0-9]{1,5}\.(ini|lnk|exe|dll|txt|dat|log|png|jpg|bat|sys)$`) nocase or
re.regex($e.principal.file.full_path, `\\ProgramData\\[a-z0-9]{1,5}\.(ini|lnk|exe|dll|txt|dat|log|png|jpg|bat|sys)$`) nocase or
re.regex($e.target.file.full_path, `\\Users\\Public\\Documents\\MM\\[^\\]+\.(ini|lnk|exe|dll|txt|dat|log|png|jpg|bat|sys)$`) nocase or
re.regex($e.principal.file.full_path, `\\Users\\Public\\Documents\\MM\\[^\\]+\.(ini|lnk|exe|dll|txt|dat|log|png|jpg|bat|sys)$`) nocase or
re.regex($e.target.file.full_path, `\\Users\\Public\\Documents\\QQCache\\[^\\]+\.(ini|lnk|exe|dll|txt|dat|log|png|jpg|bat|sys)$`) nocase or
re.regex($e.principal.file.full_path, `\\Users\\Public\\Documents\\QQCache\\[^\\]+\.(ini|lnk|exe|dll|txt|dat|log|png|jpg|bat|sys)$`) nocase or
re.regex($e.target.file.full_path, `\\Users\\Public\\Documents\\[^\\]+\.(bat|dll|exe|lnk|sys)$`) nocase or
re.regex($e.principal.file.full_path, `\\Users\\Public\\Documents\\[^\\]+\.(bat|dll|exe|lnk|sys)$`) nocase
)
condition:
$e
}
- This rule detects the creation of directories associated with PLAYFULGHOST.
rule PLAYFULGHOST_DIRECTORY {
meta:
author = "Mandiant"
description = "This rule matches on creation of directory associated with PLAYFULGHOST."
mitre_attack_tactic = "Execution"
mitre_attack_technique = "Command and Scripting Interpreter"
mitre_attack_url = "https://attack.mitre.org/techniques/T1059/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH" or
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION"
) and
(
re.regex($e.target.process.command_line, `cmd\s\/c\smd\s\w:\\Users\\Public\\Documents\\MM`) nocase or
re.regex($e.principal.process.command_line, `cmd\s\/c\smd\s\w:\\Users\\Public\\Documents\\MM`) nocase or
(re.regex($e.target.process.file.full_path, `\\cmd\.exe$`) nocase and re.regex($e.target.process.command_line, `md\s\w:\\Users\\Public\\Documents\\MM`) nocase) or
(re.regex($e.principal.process.file.full_path, `\\cmd\.exe$`) nocase and re.regex($e.target.process.command_line, `md\s\w:\\Users\\Public\\Documents\\MM`) nocase) or
re.regex($e.target.file.full_path, `\\Users\\Public\\Documents\\MM\\`) nocase or
re.regex($e.principal.file.full_path, `\\Users\\Public\\Documents\\MM\\`) nocase or
re.regex($e.target.file.full_path, `\\Users\\Public\\Documents\\QQCache\\`) nocase or //Found from ed99eebd08ec952f131f38be93441209
re.regex($e.principal.file.full_path, `\\Users\\Public\\Documents\\QQCache\\`) nocase
)
condition:
$e
}
- This rule detects legitimate renamed binaries loading a malicious launcher DLL for PLAYFULGHOST.
rule PLAYFULGHOST_LAUNCHER_DLL {
meta:
author = "Mandiant"
description = "This rule matches on legitimate renamed binary loading a malicious launcher DLL for PLAYFULGHOST."
mitre_attack_tactic = "Process Injection"
mitre_attack_technique = "Dynamic-link Library Injection"
mitre_attack_url = "https://attack.mitre.org/techniques/T1055/001/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "PROCESS_MODULE_LOAD"
) and
(
(
re.regex($e.principal.process.file.full_path, `\\svchost\.exe$`) nocase and
re.regex($e.target.process.file.full_path, `\\QiDianBrowserMgr\.dll$`) nocase
) or
(
re.regex($e.principal.process.file.full_path, `\\TIM\.exe$`) nocase and
re.regex($e.target.process.file.full_path, `\\libcurl\.dll$`) nocase
) or
(
re.regex($e.principal.process.file.full_path, `\\rundll32[^\\]*\.exe$`) nocase and
re.regex($e.target.process.file.full_path, `\\360\.dll$`) nocase
)
)
condition:
$e
}
- This rule detects legitimate renamed binaries achieving persistence via Run registry key which ultimately launches PLAYFULGHOST.
rule PLAYFULGHOST_RUNKEY {
meta:
author = "Mandiant"
description = "This rule matches on legitimate renamed binary achieving persistence via Run registry key which ultimately launches PLAYFULGHOST."
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Registry Run Keys / Startup Folder"
mitre_attack_url = "https://attack.mitre.org/techniques/T1547/001/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "REGISTRY_CREATION" or
$e.metadata.event_type = "REGISTRY_MODIFICATION"
) and
(
(
re.regex($e.target.registry.registry_key, `\\CurrentVersion\\Run`) nocase or
re.regex($e.principal.registry.registry_key, `\\CurrentVersion\\Run`) nocase
) and
(
re.regex($e.target.registry.registry_value_data, `\\svchost\.exe$`) nocase or
re.regex($e.principal.registry.registry_value_data, `\\svchost\.exe$`) nocase or
re.regex($e.target.registry.registry_value_data, `\\TIM\.exe$`) nocase or
re.regex($e.principal.registry.registry_value_data, `\\TIM\.exe$`) nocase or
re.regex($e.target.registry.registry_value_data, `\\rundll3222\.exe$`) nocase or
re.regex($e.principal.registry.registry_value_data, `\\rundll3222\.exe$`) nocase
)
)
condition:
$e
}
- This rule detects activity involving a known bad DLL or driver used in conjunction with PLAYFULGHOST.
rule PLAYFULGHOST_DLL_DRIVER {
meta:
author = "Mandiant"
description = "This rule matches on activity involving known bad DLL or driver used in conjunction with PLAYFULGHOST."
mitre_attack_tactic = "Rootkit"
mitre_attack_url = "https://attack.mitre.org/techniques/T1014/"
mitre_attack_version = "v15.1"
severity = "High"
priority = "High"
platform = "Windows"
type = "hunt"
events:
(
$e.metadata.event_type = "PROCESS_MODULE_LOAD" or
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION"
) and
(
re.regex($e.target.file.full_path, `\\(1\.sys|QAssist\.sys|CHROMEUSERINFO\.dll)$`) nocase or
re.regex($e.principal.file.full_path, `\\(1\.sys|QAssist\.sys|CHROMEUSERINFO\.dll)$`) nocase
)
condition:
$e
}
We would like to extend our thanks to Tommy Dacanay for his valuable contributions to this blog post.
Have questions or feedback for the Managed Defense team? Comment on the blog or ask a question in the Managed Defense Forum.