GhostWeaver Propose Change

According to TRAC Labs, the GhostWeaver backdoor not only maintains continuous, authenticated communication with its command-and-control server but also includes functionalities to generate DGA domains (using a fixed-seed algorithm based on the week number and year), deliver additional payloads via remote commands and bypass certificate validation by leveraging a RemoteCertificateValidationCallback that always returns true. Multiple delivered plugins are designed to target sensitive information - including credentials from popular browsers (Brave, Chrome, Firefox, Edge), Outlook data, and cryptocurrency wallets. The Formgrabber plugin includes web injection methods by dynamically manipulating HTML content, modifying JA3 fingerprints via cipher suite reordering, and employing a man-in-the-middle proxy setup to intercept the traffic. GhostWeaver’s and plugins’ delivery on systems that are not part of an Active Directory domain suggests that attackers are extending their reach beyond typical corporate targets, aligning with a financially motivated agenda that exploits environments with weaker security controls.

References

There is no Yara-Signature yet.