Dual Malware Campaign Deploys Gh0st RAT and Adware

A recent malware campaign is causing alarm in the cybersecurity field by simultaneously distributing two distinct types of threats. Utilizing a single, obfuscated loader, attackers are deploying both the Gh0st Remote Access Trojan (RAT) and CloverPlus adware onto compromised systems. This dual approach allows attackers long-term access while capitalizing on the infected device immediately.

Understanding the Dual Threat Strategy

This combination of threats is both unusual and strategic. The Gh0st RAT is a notorious tool that grants full control of a compromised system, while the CloverPlus adware alters browser settings, installs unwanted ad components, and generates pop-up ads for profit. Together, they provide attackers with a backdoor for persistent access and a method to monetize the infection in real time.

The campaign signifies a shift towards multi-payload delivery tactics aimed at maximizing the benefits from a single system breach. Researchers from the Splunk Threat Research Team (STRT) discovered the loader, noting its use of obfuscation to conceal encrypted payloads, which complicates detection by standard security measures.

Technical Insights Into the Malware Loader

The loader central to this campaign employs stealth from the outset, hiding two encrypted payloads within its resources. The first payload, CloverPlus adware, is linked to an executable named ‘wiseman.exe’ and is responsible for altering browser startup pages and inserting pop-up ads. The loader checks its file path, dropping a copy into the %temp% folder if necessary, before moving to decrypt the Gh0st RAT client module.

Post-decryption, the malware uses the Windows application ‘rundll32.exe’ to launch the Gh0st RAT, allowing it to operate under a trusted system process and evade security alerts. Gh0st RAT then gathers system information to uniquely identify the infected host within the attacker’s command-and-control infrastructure.

Implications and Defensive Measures

This malware campaign poses significant risks to both individuals and organizations. The adware can disrupt browser functionality and expose users to malicious ads, while the RAT component can steal sensitive information and provide attackers with persistent system access. Security teams are advised to enhance their endpoint monitoring capabilities and update detection rules to counteract this bundled threat.

To maintain persistence, Gh0st RAT uses various methods, including writing itself to the Windows Run registry key and integrating into the Windows Remote Access service, ensuring SYSTEM-level privileges with each service initiation. Monitoring for unusual ‘rundll32.exe’ activities, registry changes, and unexpected system hosts file modifications is crucial for detecting this malware. Regular updates to endpoint detection rules in line with MITRE ATT&CK techniques are recommended to mitigate the risks associated with this campaign.

Stay informed by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google to receive more updates.