Gh0stRATですか・・・

From the arrest of one of the head members of the ransomware gang to the successful Rove Digital takedown, coordination between law enforcement agencies and security groups has time and again yielded positive results. This time, the Taiwan Criminal Investigation Bureau (CIB), in cooperation with Trend Micro, resolved a targeted attack involving the notorious Ghost RAT family. One person was arrested by the CIB. BKDR_GHOST (aka Gh0st RAT or TROJ_GHOST), a well-known remote access Trojan (RAT) is commonly used in targeted attacks and is widely available to both threat actors and cybercriminals alike. In this specific targeted attack, the attackers delivered BKDR_GHOST to unsuspecting targets via custom spear phishing emails which contained a link where the malware is automatically downloaded. It poses as the Taiwan Bureau of National Health Insurance which makes the email convincing enough to lure the targets into clicking and eventually executing the malware. To avoid easy detection, the attackers designed these emails to contain a link, which redirects users to a specific site and automatically download an official-looking RAR archive file. Moreover, to further persuade users to open a document file inside the archived file, the attacker made use of an old but effective file naming trick- appending multiple spaces in between the document extension (in this case, .DOC) and an executable extensions (in this case, .EXE). This is still an effective technique because putting multiple spaces will hide the real file extension because of the small RAR window. Our threat discovery solutions detects malware with this trait as HEUR_NAMETRICK.A in ATSE 9.740.1046.

Targeted Attack in Taiwan Uses Infamous Gh0st RAT - TrendLabs Security Intelligence Blog