Novel malware campaign bundles Gh0st RAT, CloverPlus adware

GBHackers News reports that intrusions deploying the Gh0st RAT payload alongside the CloverPlus adware have been launched as part of a new malware campaign aimed at simultaneously generating immediate revenues and prolonging control of infected systems.

Threat actors have leveraged an obfuscated loader to facilitate the execution of CloverPlus, which injects advertising components and prompts pop-ups for click and traffic monetization, while preparing to deliver a Gh0st RAT client DLL for total remote access to the targeted system, findings from the Splunk Threat Research Team revealed.

Activation of Gh0st RAT upon ensuring that it was not executed from a %temp% environment allows access token manipulation, user and network discovery, system profiling, and persistence, while avoiding detection by checking execution in a virtual machine, leveraging a ping-based sleep technique, and exploiting DNS. Gh0st RAT was also reported to enable keystroke logging and Remote Desktop activity targeting for the subsequent sensitive credential and other remote administration data siphoning and lateral movement.