A sophisticated new malware campaign is distributing both Gh0st Remote Access Trojan (RAT) and CloverPlus adware simultaneously, presenting a significant new threat to cybersecurity. Threat actors are employing a single, obfuscated loader designed to infect victim machines with both powerful remote access capabilities and intrusive advertising software. This dual-payload approach allows attackers to maintain long-term control over compromised systems while immediately monetizing them through pop-up ads and other advertising-related schemes. The campaign marks a strategic shift towards maximizing the return on investment from a single infection vector.
Researchers at the Splunk Threat Research Team (STRT) identified the campaign and detailed its multi-stage attack process. The loader utilizes advanced obfuscation techniques to conceal encrypted payloads within its resource section, making it challenging for traditional security solutions to detect. The team meticulously mapped the malware’s behavior against the MITRE ATT&CK framework, documenting the tactics and techniques employed throughout the attack chain. The efficiency and design of this campaign underscore the evolving sophistication of threat actors in deploying malware.
Inside the Loader: How Both Payloads are Dropped and Executed
The loader campaign begins by delivering the CloverPlus adware module, identified as AdWare.Win32.CloverPlus. This initial payload, associated with an executable named wiseman.exe, is responsible for altering browser startup pages and injecting unwanted pop-up advertisements. This ensures immediate monetization for the attackers.
Following the deployment of the adware, the loader performs a crucial check on its own file path, specifically looking for its presence within the system’s %temp% folder. If the loader is not found in this temporary directory, it creates a copy of itself there. This step is preparatory for the subsequent execution of the more potent Gh0st RAT client.
The Gh0st RAT client module is stored as an encrypted resource within the RSRC section of the malware binary. Once the loader has established its presence in the %temp% folder, it proceeds to decrypt this valuable payload. After decryption, the malware dynamically generates a random file name and saves the decoded DLL to a similarly randomly named folder located at the root of the C: drive. This further aids in evading detection by making the file path and name non-predictable.
The decrypted Gh0st RAT DLL is then executed using the legitimate Windows application rundll32.exe. This technique, known as DLL sideloading or masquerading, allows the malware to operate under the guise of a trusted system process, significantly reducing the likelihood of triggering standard security alerts or endpoint detection measures. By leveraging a legitimate Windows utility, the malware bypasses many common security checks.
Once activated, the Gh0st RAT payload begins its operations by systematically gathering critical system information. This includes collecting the machine’s MAC address and the serial number of its hardware drive. This data is used to create a unique identifier for the infected host, which is then transmitted to the attacker’s command-and-control (C2) infrastructure. This identification is key for managing compromised machines remotely.
To ensure persistent access to the infected system, even after reboots or potential system restarts, Gh0st RAT employs multiple persistence mechanisms. Firstly, it writes an entry to the Windows Run registry key, which ensures that the malware is automatically executed every time the user logs in. This is a common but effective method for maintaining a foothold.
Additionally, Gh0st RAT registers a malicious DLL as a component of the Windows Remote Access service. This is achieved by creating entries under SYSTEMCurrentControlSetServicesRemoteAccessRouterManagersIp. By integrating itself into a critical system service, the malware gains SYSTEM-level privileges. This elevated access allows it to execute with the highest permissions on the operating system, making it very difficult to remove and enabling it to perform a wide range of malicious actions.
Security teams are advised to monitor for instances of rundll32.exe loading files with non-standard extensions from unusual directories, particularly those within the %temp% folder. Endpoint security solutions should be configured to flag any process execution originating from temporary directories. Suspicious registry modifications to Run keys and the RemoteAccess service path should trigger immediate alerts. Organizations should also be vigilant for ping-based execution delays, a technique used by this malware to evade sandbox analysis and static detection methods.
Furthermore, monitoring for DNS traffic anomalies and unexpected changes to the system’s hosts file can also provide early indicators of an active Gh0st RAT infection. Keeping endpoint detection rules updated and aligned with relevant MITRE ATT&CK techniques, such as T1134 (Access Token Manipulation), T1033 (System Owner Identification), T1070.004 (File Deletion), T1547.001 (Registry Run Keys / Startup Folder), T1021 (Remote Services), T1543.003 (Windows Service), T1056.001 (Keylogging), and T1071.004 (DNS), is strongly recommended to enhance detection and response capabilities against this evolving dual-payload threat.