Beware of this eavesdropping backdoor threat posing as a VPN.
Google’s managed defense team, working to empower the Google security operations community, has published a technical deep-dive into a confirmed malware threat that acts as a backdoor supporting commands involving supports commands keylogging, screen capture, audio capture, remote shell and file transfer as well as file execution. The malware, known as playfulghost, has been observed distributed through SEO poisoning methodologies which “bundle” it with popular VPN and other applications. Here’s what you need to know.
Google Warns Of Playfulghost Backdoor Danger
As part of a threat intelligence blog series called Finding Malware, Google security researchers have vowed to provide empowerment to the Google security operations community by divulging the information required to detect both emerging and persistent malware threats. The same threat intel outlet, however, is a treasure trove of awareness opportunities for consumers looking to protect themselves from the latest threats. Knowledge is, after all, power. Of course, most consumers will find this stuff a little bit too technical to be of any actual use, which is where I come in as a techspeak-to-normal translator.
The new playfulghost threat is built on the back of a long-in-the-tooth remote administration tool, a remote access trojan known as Gh0st, that has been in the security spotlight since 2008.
Differentiating itself from the original, a member of the Google managed defense team, identified only as Tatsuhiko, said, by way of “its use of distinct traffic patterns and encryption,” playfulghost has two primary distribution methods to watch out for:
Phishing attacks—where there is malware, there is phishing; I’m thinking of getting that security mantra tattooed on my forehead to help spread awareness. Seriously though, emails with themes, Tatsuhiko said, of “code of conduct” have been observed to be a starting point for the tricking of recipients into downloading the malware.
SEO poisoning—search engine optimization poisoning is the use of various nefarious techniques to ensure that malicious links are placed high in the results for specific search queries. In the case of playfulghost, Tatsuhiko said, it is being used to bundle the malware with popular applications, including VPNs, and appearing at the top of search results, “making it seem like a legitimate download.”
Please do read the full Google report on playfulghost, but in the meantime, also make sure you are taking the basic mitigations required to protect yourself from the dangers of such malware. This means being aware of the tactics used by attackers to trick you into installing such backdoor code in the first place. In this case, that means phishing awareness and protections, including the danger of malvertising and seemingly legitimate app downloads from non-official sources. I’d recommend you take a look at this advice article for further information.