EXECUTIVE SUMMARY
A new malware campaign is spreading both a serious remote access trojan and adware together, giving attackers long-term control of systems while also making quick profits. The malware uses hidden techniques to stay persistent, steal sensitive information, and block security tools, making it difficult to detect and remove. This threat is particularly concerning for organisations that rely on remote access and online services, as it can compromise their entire network infrastructure. The attackers appear to be targeting a wide range of sectors and regions, and their ultimate goal is to gain control of systems and steal sensitive data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A new malware campaign is spreading both a serious remote access trojan and adware together, giving attackers long-term control of systems while also making quick profits. The malware uses hidden techniques to stay persistent, steal sensitive information, and block security tools, making it difficult to detect and remove. This threat is particularly concerning for organisations that rely on remote access and online services, as it can compromise their entire network infrastructure. The attackers appear to be targeting a wide range of sectors and regions, and their ultimate goal is to gain control of systems and steal sensitive data.[emaillocker id="1283"]
The malware infects systems through a malicious loader that uses hidden techniques to evade detection. Once inside, it drops a copy of the running malware, then decrypts another DLL payload, which is the Gh0st RAT client module. The malware then generates a random file name and extension, saves it in a randomly generated folder in the root of the C:\ drive, and executes it using the rundll32.exe Windows application. The Gh0st RAT malware uses registry tricks and .dll module execution to stay hidden while it waits for orders from a C2 server.
It also has the ability to interact with and manipulate other processes, including reading process memory, which is commonly leveraged by Trojan stealers to extract sensitive data handled by other applications. This threat is significant for organisations because it can compromise their entire network infrastructure, steal sensitive data, and block security tools. It is difficult to detect and remove, and its persistence mechanisms make it hard to eradicate. To defend against this threat, organisations should ensure they are regularly patching their systems, monitoring for suspicious activity, and backing up their data. They should also implement robust endpoint protection and conduct regular security audits to identify and remediate vulnerabilities.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Discovery | T1016 | System Network Configuration Discovery | — |
| Initial Access | T1078 | Valid Accounts | — |
| Initial Access | T1566 | Phishing | — |
| Execution | T1203 | Exploitation for Client Execution | — |
| Execution | T1204 | User Execution | — |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Persistence | T1053 | Scheduled Task/Job | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1070.004 | Indicator Removal | File Deletion |
| Defense Evasion | T1102.001 | Web Service | Web Service: Dead Drop Resolver |
| Defense Evasion | T1562 | Impair Defenses | — |
| Credential Access | T1110 | Brute Force | — |
| Discovery | T1033 | System Owner/User Discovery | — |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1490 | Inhibit System Recovery | — |
| Lateral Movement | T1021 | Remote Services | — |
| Collection | T1005 | Data from Local System | — |
| Collection | T1113 | Screen Capture | — |
| Collection | T1115 | Clipboard Data | — |
| Resource Development | T1583 | Acquire Infrastructure | — |
| Resource Development | T1588 | Obtain Capabilities | — |
| Resource Development | T1608 | Stage Capabilities | — |
REFERENCES:
The reports contain further technical details:
[/emaillocker]Gh0st RAT and CloverPlus Adware Delivered Together in New Dual-Payload Malware Campaign