February 20, 2018: This blog has been amended since it was originally published on February 15, 2018. This version removes the association with the APT group responsible for the Night Dragon campaign that we had incorrectly made. We thank the research team at Palo Alto Networks for graciously bringing this to our attention.
ASERT has discovered new command-and-control infrastructure controlled by the actors behind the Musical Chairs campaign. The actors are known for the longevity of their C2 domains, reusing them long after they have been identified, and for making use of a popular opened sourced RAT called Gh0st. Uniquely in our observation, they have even embedded a fully-functional version of the game Tetris that will launch only when a special condition is meet.
Multiplearticles have been written about Gh0st over the years, including this one discussing the Musical Chairs campaign's use of this RAT. Using details from that report, ASERT has identified a new sample and more interestingly, a new domain that we have associated with the corresponding actor. The sample appears to be delivered via an email according to artifacts provided by malware-traffic-analysis, which is consistent with documented tactics for this group.