Cybercriminals Deploy Gh0st RAT and CloverPlus Adware in Dual-Payload Attack
A recent malware campaign has emerged, delivering both Gh0st Remote Access Trojan (RAT) and CloverPlus adware simultaneously to compromised systems. This dual-payload strategy enables attackers to gain persistent control over infected machines while profiting through intrusive advertising.
Understanding Gh0st RAT and CloverPlus Adware
Gh0st RAT is a notorious tool that provides attackers with full remote control over compromised systems. It allows for data theft, keystroke logging, and the execution of arbitrary commands. On the other hand, CloverPlus adware modifies browser settings, injects unwanted advertisements, and redirects users to malicious sites, generating revenue for attackers through ad fraud.
The Dual-Payload Delivery Mechanism
In this campaign, attackers employ a single, obfuscated loader to deliver both Gh0st RAT and CloverPlus adware. The loader conceals two encrypted payloads within its resource section, complicating detection by traditional security tools.
Upon execution, the loader first deploys the CloverPlus adware, identified as AdWare.Win32.CloverPlus. This component, associated with an executable named wiseman.exe, alters browser startup pages and injects pop-up advertisements.
Subsequently, the loader checks its file path. If not located in the system’s %temp% folder, it copies itself there. It then decrypts the Gh0st RAT client module, stored as an encrypted resource, and saves the decoded DLL to a randomly named folder at the root of the C:\ drive.
The decrypted DLL is executed using the legitimate Windows application rundll32.exe, allowing the malware to run under a trusted system process and evade detection. Once active, Gh0st RAT gathers system information, including the machine’s MAC address and hard drive serial number, to uniquely identify the infected host.
Implications of the Dual-Payload Strategy
This combined deployment of Gh0st RAT and CloverPlus adware signifies a strategic shift in cybercriminal tactics. By bundling a remote access tool with adware, attackers achieve both persistent access to compromised systems and immediate financial gain through ad fraud.
The adware component disrupts user experience by altering browser settings and displaying intrusive advertisements. More critically, the RAT component poses significant security risks, including unauthorized data access, keystroke logging, and the potential for further malware deployment.
Detection and Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement comprehensive security measures:
– Advanced Threat Detection: Utilize security solutions capable of identifying obfuscated loaders and encrypted payloads.
– Behavioral Analysis: Monitor for unusual system behaviors, such as unexpected process executions or unauthorized system modifications.
– Regular Software Updates: Keep all software and operating systems up to date to patch vulnerabilities that could be exploited by malware.
– User Education: Train employees to recognize phishing attempts and avoid downloading software from untrusted sources.
Conclusion
The emergence of this dual-payload malware campaign underscores the evolving complexity of cyber threats. By delivering both Gh0st RAT and CloverPlus adware, attackers maximize their impact, combining persistent system control with immediate financial exploitation. Proactive security measures and user vigilance are essential to mitigate the risks posed by such multifaceted attacks.
