Cybersecurity researchers have detailed a series of evolving impersonation campaigns attributed to the threat actor group known as LuoYu. These operations were designed to deliver the Gh0st RAT malware to a specific foreign affairs entity located in Southeast Asia. The campaigns demonstrated a calculated approach, leveraging social engineering and technical methods to infiltrate the target’s network.

The threat actor conducted cyber espionage activities through highly targeted spear-phishing emails. Analysis revealed that the campaign was active from at least July 2020 through March 2021, showcasing a persistent effort to compromise the designated organization.

Tactics of Impersonation and Deception

The core of the LuoYu actor’s strategy involved detailed impersonation. The attackers posed as both a telecommunications company that provides services to the targeted foreign affairs entity and as the entity’s own internal IT support staff. This dual-impersonation tactic was intended to build trust and increase the likelihood of the victim engaging with the malicious content.

Initial versions of the attack utilized spear-phishing emails with malicious attachments. The campaign later evolved to use emails containing links that directed victims to a malicious domain, ms-update[.]net. This domain hosted a webpage masquerading as a legitimate Adobe Flash Player update, designed to trick users into downloading the malware loader.

Technical Breakdown of the Attack Chain

Upon visiting the fake update site, the victim was prompted to download an executable file named Acrobat-Update-Tools.exe. This file was a self-extracting (SFX) archive signed with a valid digital certificate issued to a Beijing-based software company, adding a layer of perceived legitimacy. Once executed, the SFX archive initiated a DLL side-loading attack.

The process involved dropping a legitimate, signed Adobe executable alongside a malicious DLL file named AcroBroker.dll into the same directory. The legitimate program would then load the malicious DLL, which in turn decrypted and executed the final payload. The payload was identified as the WinMgr variant of Gh0st RAT, a remote access trojan that grants attackers extensive control over the compromised system.

Source: https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/