SOC Prime Bias: Medium

21 Apr 2026 18:16
newspaper icon Splunk

Not Just Annoying Ads: Adware Bundles Delivering Gh0st RAT

Author Photo
SOC Prime Team linkedin icon Follow
Not Just Annoying Ads: Adware Bundles Delivering Gh0st RAT
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A recent campaign delivers the Gh0st Remote Access Trojan alongside the CloverPlus adware component. Its loader conceals two encrypted resources, writes them to randomly chosen locations, and launches the RAT through rundll32.exe. The malware combines several persistence methods with token manipulation, DNS hijacking, and keylogging to retain access over time while also generating revenue through ad-click abuse. Its use of legitimate Windows binaries and layered obfuscation makes detection more challenging.

Investigation

Splunk Threat Research reverse-engineered the loader and confirmed that it carried both an embedded Gh0st RAT DLL and the CloverPlus adware module. Behavioral analysis exposed token privilege escalation, registry checks for VMware-based environments, use of a dead-drop resolver, ping-based sleep delays, DNS spoofing, and multiple persistence techniques rooted in the Windows Registry. Investigators also documented indicators including unusual rundll32.exe execution, payload launches from %temp%, and specific registry modifications tied to the infection chain.

Mitigation

Defenders should monitor for rundll32.exe loading files with unusual extensions or executing content from non-standard directories. Security teams should also block or alert on creation of the RemoteAccess router manager registry entry and suspicious changes to Run keys. Network controls should restrict access to the identified dead-drop resolver URL and flag ping-based sleep behavior associated with malware evasion. Application control policies can further reduce risk by preventing unauthorized DLLs from being loaded.

Response

When this activity is detected, isolate the affected host, collect volatile evidence along with the suspicious DLLs, and perform hash-based lookups to confirm the threat. Remove any malicious registry entries and services used for persistence. Reset exposed credentials, particularly those tied to RDP usage, and inspect DNS settings and the hosts file for unauthorized changes. A full forensic review should then be performed to verify that no additional backdoors or secondary payloads remain.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff classDef technique fill:#eeeeee classDef operator fill:#ff9900 %% Nodes u2013 Step 1 Loader Execution tool_wiseman["<b>Tool</b> – Name: wiseman.exe<br/><b>Description</b>: Loader that decrypts embedded payloads (Gh0st RAT DLL and CloverPlus adware)."] class tool_wiseman tool action_loader["<b>Action</b> – Loader Execution"] class action_loader action tech_reflective["<b>Technique</b> – T1620 Reflective Code Loading<br/>Loads code into memory without writing it to disk."] class tech_reflective technique tech_obfuscate["<b>Technique</b> – T1027.009 Obfuscated Files or Information: Embedded Payloads<br/>Payloads are encrypted/obfuscated inside the loader."] class tech_obfuscate technique %% Connections u2013 Step 1 tool_wiseman –>|executes| action_loader action_loader –>|uses| tech_reflective action_loader –>|uses| tech_obfuscate %% Nodes u2013 Step 2 Write DLL and launch via rundll32 process_write_dll["<b>Process</b> – Write DLL to random folder in C:\Windows\System32"] class process_write_dll process malware_gh0st["<b>Malware</b> – Gh0st RAT DLL"] class malware_gh0st malware tool_rundll32["<b>Tool</b> – rundll32.exe<br/><b>Purpose</b>: Executes DLLs as if they were executables"] class tool_rundll32 tool %% Connections u2013 Step 2 action_loader –>|writes| process_write_dll process_write_dll –>|contains| malware_gh0st malware_gh0st –>|launched by| tool_rundll32 %% Nodes u2013 Step 3 Token Manipulation tech_token["<b>Technique</b> – T1134.002 Access Token Manipulation: Create Process with Token<br/>Enables SeDebugPrivilege for later operations."] class tech_token technique %% Connection u2013 Step 3 action_loader –>|modifies token| tech_token %% Nodes u2013 Step 4 Process Discovery of DNS service tech_proc_discovery["<b>Technique</b> – T1057 Process Discovery<br/>Enumerates running processes, identifies DNS service (port 53)."] class tech_proc_discovery technique tech_win_window["<b>Technique</b> – T1010 Application Window Discovery<br/>Collects window titles to aid process identification."] class tech_win_window technique %% Connection u2013 Step 4 tech_token –>|performs| tech_proc_discovery tech_proc_discovery –>|supplements| tech_win_window %% Nodes u2013 Step 5 Terminate DNS and delete file tech_process_injection["<b>Technique</b> – T1055.003 Process Injection: Thread Execution Hijacking<br/>Hijacks DNS process thread to terminate it."] class tech_process_injection technique tech_masquerade["<b>Technique</b> – T1036.009 Masquerading: Break Process Trees<br/>Creates a fake process hierarchy to hide malicious activity."] class tech_masquerade technique tech_file_deletion["<b>Technique</b> – T1070.004 File Deletion<br/>Deletes the original DNS executable file after termination."] class tech_file_deletion technique %% Connections u2013 Step 5 tech_proc_discovery –>|targets| tech_process_injection tech_process_injection –>|accompanies| tech_masquerade tech_masquerade –>|leads to| tech_file_deletion %% Nodes u2013 Step 6 Virtual Machine Discovery tech_vm_discovery["<b>Technique</b> – T1673 Virtual Machine Discovery<br/>Queries VMware registry key to detect analysis environment."] class tech_vm_discovery technique %% Connection u2013 Step 6 tech_token –>|checks| tech_vm_discovery %% Nodes u2013 Step 7 Deadu2011Drop Resolver tool_ping["<b>Tool</b> – ping.exe<br/><b>Use</b>: Introduces delay before further actions."] class tool_ping tool tech_dead_drop["<b>Technique</b> – T1102.001 Web Service: Dead Drop Resolver<br/>Downloads a web page from a malicious URL to obtain C2 address."] class tech_dead_drop technique %% Connection u2013 Step 7 tech_vm_discovery –>|if VM detected| tech_dead_drop tech_dead_drop –>|uses| tool_ping %% Nodes u2013 Step 8 Delay Execution tech_delay["<b>Technique</b> – T1678 Delay Execution<br/>Uses ping -n to wait before executing payload."] class tech_delay technique %% Connection u2013 Step 8 tool_ping –>|implements| tech_delay %% Nodes u2013 Step 9 Hosts file modification and DNS spoofing tech_hosts_mod["<b>Technique</b> – T1568.002 Email Spoofing (repurposed for DNS spoofing)<br/>Modifies hosts file and crafts spoofed DNS responses to block security domains."] class tech_hosts_mod technique %% Connection u2013 Step 9 tech_delay –>|modifies| tech_hosts_mod %% Nodes u2013 Step 10 Flush DNS cache action_flush_dns["<b>Action</b> – Flush DNS Cache<br/>Executes ipconfig /flushdns to ensure malicious entries take effect."] class action_flush_dns action %% Connection u2013 Step 10 tech_hosts_mod –>|followed by| action_flush_dns %% Nodes u2013 Step 11 Collect hardware identifiers tech_snmp_dump["<b>Technique</b> – T1602.001 Data from Configuration Repository: SNMP (MIB Dump)<br/>Collects hardware IDs such as MAC address."] class tech_snmp_dump technique tech_net_config["<b>Technique</b> – T1602.002 Data from Configuration Repository: Network Device Configuration Dump<br/>Collects hardu2011drive serial number."] class tech_net_config technique %% Connections u2013 Step 11 action_flush_dns –>|collects| tech_snmp_dump action_flush_dns –>|collects| tech_net_config %% Nodes u2013 Step 12 Persistence via service and Run key tech_service_creation["<b>Technique</b> – T1543.003 Create or Modify System Process: Windows Service<br/>Creates a new Windows service that points to the malicious DLL."] class tech_service_creation technique tech_run_key["<b>Technique</b> – T1547.001 Registry Run Keys/Startup Folder<br/>Writes a Run registry entry referencing the malicious DLL."] class tech_run_key technique %% Connections u2013 Step 12 tech_snmp_dump –>|enables| tech_service_creation tech_snmp_dump –>|enables| tech_run_key %% Nodes u2013 Step 13 Hijack Execution Flow via Service Registry tech_hijack_service["<b>Technique</b> – T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness<br/>Registers DLL under RemoteAccess\RouterManagers\Ip (DllPath) and restarts service for autou2011execution."] class tech_hijack_service technique %% Connection u2013 Step 13 tech_service_creation –>|uses| tech_hijack_service tech_run_key –>|also uses| tech_hijack_service %% Operators for logical grouping (optional) op_and1(("AND")) class op_and1 operator %% Example logical flow grouping action_loader –>|leads to| op_and1 op_and1 –>|continues with| tech_proc_discovery "

Attack Flow

Simulation

We are still updating this part. Sign up to get notified

Notify Me

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free