Cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC) have uncovered a sophisticated multi-stage attack campaign targeting internet cafes across South Korea. The operation combines the notorious Gh0st RAT remote access trojan with the T-Rex cryptocurrency miner to establish persistent access and conduct unauthorized digital asset mining on compromised systems.
Attack Timeline and Scope
Investigation findings reveal that threat actors have been operational since 2022, but intensified their focus on South Korean internet cafes during the second half of 2024. The attackers specifically target systems running specialized Korean-developed internet cafe management software, suggesting extensive reconnaissance and targeted approach.
While security researchers have not yet identified the initial attack vector, analysis indicates a clear pattern: all compromised systems utilized identical client management software. This targeting specificity demonstrates the attackers’ deep understanding of the South Korean internet cafe ecosystem and their preferred infrastructure components.
Technical Analysis of the Malware Arsenal
Gh0st RAT: Advanced Remote Control Capabilities
The campaign leverages Gh0st RAT, a well-established remote access trojan originally developed by the Chinese C. Rufus Security Team. Since its source code became publicly available, cybercriminals have continuously modified and enhanced the malware to suit their specific operational requirements.
The variant deployed in these attacks features comprehensive system control capabilities:
• Complete remote system administration
• Advanced file and process manipulation
• Comprehensive system information harvesting
• Integrated keylogging functionality
• Real-time screen capture capabilities
Memory Patching Persistence Technique
A particularly sophisticated aspect of this campaign involves memory patching techniques targeting the internet cafe management software. The malware deploys a specialized module that continuously monitors running processes, specifically searching for the target application. Upon detection, it compares the application’s memory structure against predetermined templates.
When matching patterns are identified, the malware modifies the memory contents, replacing WAV file references with cmd.exe commands. This manipulation enables the placement of Gh0st RAT droppers within the management software’s audio file directories, ensuring covert execution during routine system operations.
Strategic Cryptocurrency Mining Operations
Unlike typical cryptojacking campaigns that deploy XMRig for Monero mining, these attackers strategically selected the T-Rex miner. This choice reflects sophisticated understanding of their target environment: internet cafes typically feature high-performance graphics cards optimized for gaming experiences.
T-Rex miner efficiently exploits GPU computational power for mining Ethereum and RavenCoin, generating significantly higher profits compared to CPU-based mining operations. Security researchers have also identified instances where the Phoenix miner was deployed alongside T-Rex, indicating the attackers’ commitment to maximizing cryptocurrency generation from compromised systems.
Industry Response and Mitigation Strategies
The targeted software vendor has implemented immediate countermeasures, including process blacklisting to prevent malicious software execution. However, comprehensive protection requires multi-layered security approaches.
Internet cafe operators should implement the following security measures:
• Establish rigorous software update schedules for all system components
• Deploy network monitoring solutions to detect anomalous traffic patterns
• Implement enterprise-grade antivirus solutions with cryptocurrency mining detection
• Enforce principle of least privilege for user account permissions
• Conduct regular security assessments of management software
Advanced Threat Intelligence Insights
This campaign demonstrates the evolution of cryptojacking operations from opportunistic attacks to highly targeted, infrastructure-specific operations. The attackers’ selection of specialized mining software, combined with sophisticated persistence mechanisms, indicates professional-level threat actor capabilities.
The targeting of internet cafes represents a strategic shift in cryptocurrency mining malware deployment. These environments offer optimal conditions: powerful hardware, extended operational hours, and often limited security oversight, making them attractive targets for sustained mining operations.
Organizations operating similar high-performance computing environments should evaluate their security postures against these emerging threat patterns. The combination of remote access capabilities with cryptocurrency mining represents a dual-purpose attack model that maximizes both immediate financial gain and long-term system access for future operations. Proactive threat hunting and behavioral analysis tools become essential components of defense strategies against such sophisticated, multi-stage attack campaigns.
