Splunk Unmasks New Malware Campaign Pairing Ghost RAT with CloverPlus Adware

The Splunk Threat Research Team (STRT) has identified a sophisticated new malware campaign that defies traditional deployment patterns by bundling a high-stakes backdoor with adware. This dual-threat approach allows attackers to establish deep system control while simultaneously generating immediate revenue from their victims.

The campaign utilizes a specialized loader to push two radically different payloads: the Ghost Remote Access Trojan (RAT) and CloverPlus adware. Analysts at STRT describe this as an “odd pairing” where “one is a classic tool for total system takeover, while the other is a persistent nuisance designed to monetize clicks”.

By deploying both simultaneously, threat actors achieve a strategic “best of both worlds” scenario:

• Long-term Access: A reliable backdoor for sustained exploitation.
• Immediate Profit: A mechanism to “squeeze profit out of the victim” right away through unwanted advertisements and browser manipulation.

The attack begins with an obfuscated executable, such as wiseman.exe, designed specifically to evade detection. This loader acts as a delivery vehicle, hiding two encrypted payloads within its resource section.

Once active, the loader performs several environment checks, including verifying if its process path is located within the %temp% folder. It then decrypts the Ghost RAT client module and generates a random filename and extension, saving the malicious file in a randomized folder at the root of the C:\ drive. To further blend into legitimate system activity, the decrypted DLL is executed using the standard Windows application rundll32.exe.

The Ghost RAT payload is “built to be persistent, using registry tricks and .dll module execution to stay hidden while it waits for orders from a C2 server”. The malware employs several advanced techniques to maintain its foothold and stymie investigators:

• Process Manipulation: It adjusts its process token to enable SeDebugPrivilege, allowing it to interact with and read the memory of other applications to steal sensitive data.
• Defense Evasion: The malware queries specific registry keys, such as those related to VMware Tools, to determine if it is running inside a virtual machine.
• Network Interference: It can block access to security-related websites by modifying the local hosts file and generating spoofed DNS responses, effectively redirecting traffic away from legitimate protection resources.

One of the most concerning features of this Ghost RAT variant is its ability to capture sensitive information during Remote Desktop Protocol (RDP) sessions. The malware monitors for the mstsc.exe process and, once detected, “begins tracking user input by calling Windows APIs such as GetKeyState() and GetAsyncKeyState()”.

This allows the attacker to act as a keylogger in real-time, intercepting usernames and passwords entered during active RDP sessions. This targeted approach significantly “increases the likelihood of capturing valid credentials for remote systems, enabling lateral movement or further compromise within the network while remaining relatively stealthy”.

The Splunk Threat Research Team emphasizes that “the malware uses hidden techniques to stay persistent, steal sensitive information, and block security tools, making it difficult to detect and remove”. However, by analyzing these suspicious behaviors, Splunk provides a pathway for security teams to identify and stop these threats through “faster, proactive threat detection”.