In recent days, security researchers from iVerify have detected a new fileless malware spreading framework, GhostHook, being shared across cybercrime forums and networks. This framework is designed for distributing malware and other malicious payloads through various methods, such as malicious push popups. It is compatible with multiple operating systems and browsers, making it a useful tool for cybercriminals.
GhostHook operates by allowing users to send a URL to the target. Once the target visits the webpage, a script hooks the browser, maintaining a connection. The hooked browser then communicates with the control panel, turning into a "slave browser." The attacker can then send notifications that mimic system notifications to entice the target into downloading and installing malware or other malicious software.
Key Features
OS Compatibility:
Windows
Android
Linux
macOS
Browser Compatibility:
Google Chrome
Mozilla Firefox
Opera Browser
Microsoft Edge
Spreadable By:
Posting a URL on social media
Posting a URL on a forum
Sending a URL in an email
Sending SMS with a URL in the message
Sending WhatsApp/Telegram/XMPP messages with a URL
Online QR Codes
Physical QR stickers
Additional Features:
Visit any website
Download any file (direct link)
Add to your current website
Upload your own HTML for campaigns
Upload your own HTML for the landing page
Push notifications
And much more
Technical Analysis
Social Engineering and Phishing
GhostHook makes it possible for users to spread malware via social engineering. By posting seemingly benign URLs on social media and forums, or sending them via email, SMS, and messaging apps, it tricks users into clicking links.
These links can lead to credential phishing sites, exploit kits, or initiate drive-by downloads. The framework's capability to integrate with existing websites and create custom HTML landing pages adds to its creativity in making convincing phishing campaigns.
Push Notifications
GhostHook also incorporates push notifications as a method to distribute malicious content. By prompting users to enable notifications on compromised or fake websites, attackers can send persistent alerts to users, urging them to click on malicious links disguised as system updates, security alerts, or account notifications.
A Real-World Scenario
In a real-world scenario, GhostHook could be used for a popup advertising network as follows:
URL Distribution:
The attacker sends the client a URL.
The client visits the web page containing a script that hooks the browser.
Browser Hooking:
The browser communicates with the control panel, becoming a slave browser.
The attacker then controls the slave browser.
Push Notifications:
The attacker sends notifications that appear as system notifications.
These notifications prompt the client to interact with them.
Payload Delivery:
The client is urged to download the malware (payload) the attacker wishes to install.
Screenshots of Activity
Note: For a more detailed demonstration of this framework, watch this clip that’s being circulated.
Below are a series of screenshots related to the framework, as well as various discussions about acquiring it. For more experienced readers, BeEF—The Browser Exploitation Framework Project (Beef XSS)—could be compared to GhostHook. However, GhostHook is designed for malicious use and marketed accordingly on cybercrime forums.
Secure Your Mobile Devices with iVerify.io Mobile EDR
iVerify offers advanced mobile EDR solutions that combine threat detection and mobile forensics with automated response and remediation for enterprise-level protection against sophisticated threats, including mobile malware, unpatched vulnerabilities, smishing, and credential theft, ensuring maximum privacy and security.
Take control of your mobile security with iVerify.io. Request a demo to experience our advanced features firsthand at iVerify.io. Secure your devices now.
