By rssfeeds-admin 
The Splunk Threat Research Team (STRT) has identified a new malicious campaign that uses a sophisticated loader to deploy two distinct threats: the Gh0st Remote Access Trojan (RAT) and CloverPlus adware.
This unusual combination provides threat actors with both long-term backdoor access for severe system compromise and immediate financial gain through adware monetization.
The Gh0st RAT remains a persistent favorite among attackers due to its robust evasion and persistence capabilities.
At the same time, the CloverPlus component functions as a persistent nuisance, altering browser behavior and injecting unwanted advertisements.
Loader Mechanics and Evasion Tactics
The initial infection relies on a highly obfuscated loader designed to evade detection while extracting two encrypted payloads hidden within its resource section.
The first payload, identified as AdWare.Win32.CloverPlus initiates unwanted browser modifications, such as altering startup pages and generating pop-up ads to monetize clicks.
After the adware is deployed, the loader checks the %temp% directory for its own execution path. If absent, it drops a copy of itself before decrypting the primary threat: the Gh0st RAT client module, which is encrypted as a .DLL file in the loader’s RSRC section.
The malware generates a randomized filename and extension, saving the decrypted .DLL in a newly created, randomly named folder at the root of the C: drive.
This payload is subsequently executed using the legitimate Windows rundll32.exe application, a classic defense evasion technique.
Persistence and Keylogging Capabilities
To ensure continuous operation, the Gh0st RAT variant relies on multiple persistence mechanisms. It utilizes traditional Windows Run registry keys (T1547.001) to execute automatically upon system startup.
Additionally, it exploits Remote Services (T1021) by creating a registry entry for the Windows Remote Access service and dropping its malicious DLL, which runs with elevated SYSTEM-level privileges without user interaction.
It also installs itself as a standard Windows Service (T1543.003), providing another reliable, high-privilege persistence method.
Once established splunk, the malware actively monitors for active Remote Desktop Protocol (RDP) sessions by tracking the mstsc.exe process.
It uses Windows APIs such as GetKeyState() to log keystrokes (T1056.001), capturing sensitive credentials and facilitating lateral movement across the network.
To combat this threat, the STRT recommends deploying specific detection queries focused on unusual rundll32.exe executions with non-standard file extensions, monitoring for ping-sleep commands used to delay execution, tracking suspicious registry modifications, and identifying processes executing directly from the %temp% directory.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post New Malware Campaign Delivers Gh0st RAT With CloverPlus Adware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.