Emerging Malware Campaign Bundles Gh0st RAT with CloverPlus Adware, Threatens Cybersecurity
A recent analysis by the Splunk Threat Research Team (STRT) uncovers a sophisticated malware campaign that combines a powerful remote access trojan (RAT) with invasive adware, effectively enabling cybercriminals to maintain long-term control over compromised systems while simultaneously generating immediate revenue through fraudulent advertising activities.
At its core, this malware campaign employs an obfuscated loader designed specifically to prioritize stealth, persistence, and evasion tactics against detection mechanisms. This loader conceals two encrypted payloads within its resource section; one of these has been identified as AdWare.Win32.CloverPlus. Upon execution, the adware component begins installing various advertising components that manipulate browser behavior, alters startup settings, and generates intrusive pop-ups aimed at monetizing clicks and traffic on the infected machines.
Simultaneously, the loader prepares a more severe threat: the Gh0st RAT client DLL. This DLL, once decrypted, provides the attacker with complete remote access to the victim’s system, thus facilitating the extraction of sensitive data and installation of additional malicious software.
To circumvent initial path-based security detections, the loader performs a critical check to see if it is executing from the %temp% directory. If it determines that it is not, the loader copies itself into this directory prior to decrypting the Gh0st RAT DLL from the resource section. Once the DLL is in place, it is executed using the commonly utilized Windows tool, rundll32.exe. This technique seamlessly blends into normal Windows activity and allows the malware to operate under the radar.
The Tactical Maneuvers of Gh0st RAT
Active upon infection, this particular variant of the Gh0st RAT employs a series of advanced maneuvers to evade detection and enhance its operational capabilities. One tactical feature is its ability to enable SeDebugPrivilege through access token manipulation. This manipulation permits the RAT to interact with and extract memory from other processes—an approach often exploited to steal sensitive user data, including passwords and other confidential information.
The malware also conducts user and network discovery activities, identifying processes that handle Domain Name System (DNS) traffic on standard port 53. By terminating the legitimate DNS processes and substituting them with a compromised version, the RAT can hijack DNS queries. Furthermore, by deleting files related to its activity, it eliminates traces that might alert system administrators to the presence of malware.
In a sophisticated evasion tactic, Gh0st RAT checks registry keys associated with VMware to determine if the malware is running inside a virtual machine. If a VM is detected, it launches a “dead drop resolver” routine, reaching out to a seemingly benign Sina blog URL to parse the HTML title tag and retrieve its command-and-control (C2) address, thereby hiding its infrastructure behind legitimate web content.
Moreover, the RAT employs a ping-based sleep technique designed to delay its operations and evade security sandboxes that only monitor brief activities. This technique, along with DNS-based defensive measures, includes inspecting requested domains for keywords associated with antivirus vendors, selectively returning regular DNS responses or errors to impede access to security tools.
Information Gathering and Persistence Measures
Beyond merely abusing network functionalities, the RAT collects critical system configuration information, such as network details and hardware identifiers, to uniquely track compromised machines. Persistence mechanisms are implemented through several traditional strategies. Gh0st RAT modifies standard Windows Run keys and exploits Windows Remote Access service configurations, ensuring that it launches automatically with the operating system.
Additionally, it registers a dedicated Windows service pointing to its malicious module, thus integrating itself into the operating system’s initialization processes. It even targets Remote Desktop Protocol (RDP) sessions by monitoring the execution of mstsc.exe and capturing keystrokes to harvest high-value credentials.
The STRT has effectively mapped these malicious behaviors to the MITRE ATT&CK framework and released aligned analytic content for defenders to utilize in detecting this dual-payload threat. Available detection methods focus on analytics for unusual rundll32.exe activity, ping-based sleep commands, persistence registry keys, and modifications to Windows registry entries associated with remote access functionalities.
By correlating these multifaceted signals, security teams can recognize both the loader activity and the enduring presence of the Gh0st RAT. Organizations can enhance their cybersecurity posture by employing continuous endpoint monitoring using platforms like Splunk, transitioning from a reactive stance to proactive threat-hunting strategies.
In summary, the combination of the Gh0st RAT and CloverPlus adware encapsulates a multi-layered threat landscape that challenges traditional cybersecurity measures. Organizations are urged to implement consolidated detection strategies to protect against both the backdoor functionalities of Gh0st RAT and the revenue-generating mechanisms of CloverPlus adware, aiming to thwart attackers before they fully establish their control.