During their analysis of the Gh0st Remote Access Trojan (RAT) security researchers from FireEye’s Malware Intelligence Lab came across another malicious element – Backdoor.ADDNEW, commonly known as DarkDdoser – that appeared to be working in perfect harmony with Gh0st.
Both threats were communicating to the same command and control server by utilizing different ports.
After further investigating machines compromised with ADDNEW, experts found that the devices were becoming infected with the Gh0st RAT within one week after being plagued by the Backdoor.
ADDNEW is designed for various tasks, including stealing Mozilla Firefox passwords from the web browser’s “sqlite” database, and for launching different types of distributed denial-of-service (DDOS) attacks.
Some of the commands embedded into DarkDdoser are still being analyzed since researchers haven’t quite figured out how they work.
Experts believe that ADDNEW and the Gh0st RAT complement each other in these campaigns.