Ghambar

Description

Currently, we identify this malware family as “Ghambar,” due to the word being used in some function names and variables inside the same malware’s code; also subsequent samples expose potentially personally identifiable information and alternative names. While Ghambar does not seem to share any significant codebase with past tools, we believe that Ghambar might be the successor of TinyZBot, which is one of the artifacts described by Cylance in the Operation Cleaver report. Similar to TinyZBot, Ghambar is also developed in C# and it employs the same SOAP­based command and control protocol. While it is provided with fewer features, Ghambar appears better designed and with a cleaner code style.

Interestingly, Ghambar is designed to leave as little footprint on the system as possible. When collecting screenshots, clipboard data, and intercepted keystrokes, it attempts to directly send the data to the C&C without writing on disk.

While executing a parallel keylogger, Ghambar is also able to receive instructions from the C&C on additional tasks to execute. These tasks can be additional plugins to be downloaded and executed, generic tasks on the file system, or a number of predefined commands.

Ghambar is provided with a full­featured plugins system. If instructed to do so by the C&C, the malware is able to download, store, and execute any given plugin.

Other than generally creating, deleting and fetching files, Ghambar is also able to executed a number of predefined commands if instructed to do so by the C&C. The commands, identified by a command­type identifier, include the following: • Self­destruct; • Execute a command through ‘cmd.exe’ and return output; • Take a screenshot; • Shutdown the computer; • Restart the computer; • Logoff the user; • Lock the computer; • Turn on and off the monitor; • Set and copy clipboard data; • Enable or disable mouse/keyboard (although these procedures are not yet implemented); • “Enable or disable desktop” (not implemented); • Trigger a BSOD (also, not implemented).

While the sample we obtained might be an earlier stage still under development, Ghambar is alreadyprovided with enough features to make it a fully­functional backdoor.

Names

Name
Ghambar

Category

Malware

Type

• Backdoor
• Info stealer
• Credential stealer

Information

• https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.ghambar

Other Information

Uuid

622b301b-0b13-410c-a772-2c9d6194a606

Last Card Change

2023-06-22