SOC Prime Bias: Médio

21 Abr 2026 18:16
newspaper icon Splunk

Não Apenas Anúncios Irritantes: Pacotes de Adware Entregando Gh0st RAT

Author Photo
Ruslan Mikhalov Chefe de Pesquisa de Ameaças na SOC Prime linkedin icon Seguir
Não Apenas Anúncios Irritantes: Pacotes de Adware Entregando Gh0st RAT
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Resumo

Uma campanha recente entrega o Gh0st Remote Access Trojan juntamente com o componente de adware CloverPlus. Seu carregador oculta dois recursos criptografados, escreve-os em locais escolhidos aleatoriamente e lança o RAT através do rundll32.exe. O malware combina vários métodos de persistência com manipulação de token, sequestro de DNS e registro de teclas para manter o acesso ao longo do tempo, além de gerar receita através de abuso de cliques em anúncios. Seu uso de binários legítimos do Windows e camadas de ofuscação torna a detecção mais desafiadora.

Investigação

O Splunk Threat Research fez engenharia reversa do carregador e confirmou que ele carregava tanto um Gh0st RAT DLL embutido quanto o módulo de adware CloverPlus. A análise comportamental expôs a escalada de privilégios de token, verificações de registro para ambientes baseados em VMware, uso de um resolvedor drop morto, atrasos de sono baseados em ping, spoofing de DNS e múltiplas técnicas de persistência enraizadas no Registro do Windows. Os investigadores também documentaram indicadores, incluindo rundll32.exe execução incomum, lançamentos de payload de %temp%, e modificações específicas do registro vinculadas à cadeia de infecção.

Mitigação

Os defensores devem monitorar o rundll32.exe carregamento de arquivos com extensões incomuns ou a execução de conteúdo de diretórios não padrão. As equipes de segurança também devem bloquear ou alertar sobre a criação da entrada de registro do gerenciador do roteador RemoteAccess e mudanças suspeitas nas chaves Run. Os controles de rede devem restringir o acesso ao URL de resolvedor de drop morto identificado e sinalizar o comportamento de sono baseado em ping associado à evasão de malware. As políticas de controle de aplicações podem reduzir ainda mais o risco, impedindo que DLLs não autorizadas sejam carregadas.

Resposta

Quando esta atividade é detectada, isole o host afetado, colete evidências voláteis juntamente com as DLLs suspeitas e realize consultas baseadas em hash para confirmar a ameaça. Remova quaisquer entradas de registro maliciosas e serviços usados para persistência. Redefina as credenciais expostas, particularmente aquelas ligadas ao uso do RDP, e inspecione as configurações de DNS e o arquivo hosts para alterações não autorizadas. Uma revisão forense completa deve ser realizada para verificar se nenhum backdoor adicional ou payload secundário permanece.

“graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff classDef technique fill:#eeeeee classDef operator fill:#ff9900 %% Nodes u2013 Step 1 Loader Execution tool_wiseman[“Tool – Name: wiseman.exe
Description: Loader that decrypts embedded payloads (Gh0st RAT DLL and CloverPlus adware).”] class tool_wiseman tool action_loader[“Action – Loader Execution”] class action_loader action tech_reflective[“Technique – T1620 Reflective Code Loading
Loads code into memory without writing it to disk.”] class tech_reflective technique tech_obfuscate[“Technique – T1027.009 Obfuscated Files or Information: Embedded Payloads
Payloads are encrypted/obfuscated inside the loader.”] class tech_obfuscate technique %% Connections u2013 Step 1 tool_wiseman –>|executes| action_loader action_loader –>|uses| tech_reflective action_loader –>|uses| tech_obfuscate %% Nodes u2013 Step 2 Write DLL and launch via rundll32 process_write_dll[“Process – Write DLL to random folder in C:WindowsSystem32″] class process_write_dll process malware_gh0st[“Malware – Gh0st RAT DLL”] class malware_gh0st malware tool_rundll32[“Tool – rundll32.exe
Purpose: Executes DLLs as if they were executables”] class tool_rundll32 tool %% Connections u2013 Step 2 action_loader –>|writes| process_write_dll process_write_dll –>|contains| malware_gh0st malware_gh0st –>|launched by| tool_rundll32 %% Nodes u2013 Step 3 Token Manipulation tech_token[“Technique – T1134.002 Access Token Manipulation: Create Process with Token
Enables SeDebugPrivilege for later operations.”] class tech_token technique %% Connection u2013 Step 3 action_loader –>|modifies token| tech_token %% Nodes u2013 Step 4 Process Discovery of DNS service tech_proc_discovery[“Technique – T1057 Process Discovery
Enumerates running processes, identifies DNS service (port 53).”] class tech_proc_discovery technique tech_win_window[“Technique – T1010 Application Window Discovery
Collects window titles to aid process identification.”] class tech_win_window technique %% Connection u2013 Step 4 tech_token –>|performs| tech_proc_discovery tech_proc_discovery –>|supplements| tech_win_window %% Nodes u2013 Step 5 Terminate DNS and delete file tech_process_injection[“Technique – T1055.003 Process Injection: Thread Execution Hijacking
Hijacks DNS process thread to terminate it.”] class tech_process_injection technique tech_masquerade[“Technique – T1036.009 Masquerading: Break Process Trees
Creates a fake process hierarchy to hide malicious activity.”] class tech_masquerade technique tech_file_deletion[“Technique – T1070.004 File Deletion
Deletes the original DNS executable file after termination.”] class tech_file_deletion technique %% Connections u2013 Step 5 tech_proc_discovery –>|targets| tech_process_injection tech_process_injection –>|accompanies| tech_masquerade tech_masquerade –>|leads to| tech_file_deletion %% Nodes u2013 Step 6 Virtual Machine Discovery tech_vm_discovery[“Technique – T1673 Virtual Machine Discovery
Queries VMware registry key to detect analysis environment.”] class tech_vm_discovery technique %% Connection u2013 Step 6 tech_token –>|checks| tech_vm_discovery %% Nodes u2013 Step 7 Deadu2011Drop Resolver tool_ping[“Tool – ping.exe
Use: Introduces delay before further actions.”] class tool_ping tool tech_dead_drop[“Technique – T1102.001 Web Service: Dead Drop Resolver
Downloads a web page from a malicious URL to obtain C2 address.”] class tech_dead_drop technique %% Connection u2013 Step 7 tech_vm_discovery –>|if VM detected| tech_dead_drop tech_dead_drop –>|uses| tool_ping %% Nodes u2013 Step 8 Delay Execution tech_delay[“Technique – T1678 Delay Execution
Uses ping -n to wait before executing payload.”] class tech_delay technique %% Connection u2013 Step 8 tool_ping –>|implements| tech_delay %% Nodes u2013 Step 9 Hosts file modification and DNS spoofing tech_hosts_mod[“Technique – T1568.002 Email Spoofing (repurposed for DNS spoofing)
Modifies hosts file and crafts spoofed DNS responses to block security domains.”] class tech_hosts_mod technique %% Connection u2013 Step 9 tech_delay –>|modifies| tech_hosts_mod %% Nodes u2013 Step 10 Flush DNS cache action_flush_dns[“Action – Flush DNS Cache
Executes ipconfig /flushdns to ensure malicious entries take effect.”] class action_flush_dns action %% Connection u2013 Step 10 tech_hosts_mod –>|followed by| action_flush_dns %% Nodes u2013 Step 11 Collect hardware identifiers tech_snmp_dump[“Technique – T1602.001 Data from Configuration Repository: SNMP (MIB Dump)
Collects hardware IDs such as MAC address.”] class tech_snmp_dump technique tech_net_config[“Technique – T1602.002 Data from Configuration Repository: Network Device Configuration Dump
Collects hardu2011drive serial number.”] class tech_net_config technique %% Connections u2013 Step 11 action_flush_dns –>|collects| tech_snmp_dump action_flush_dns –>|collects| tech_net_config %% Nodes u2013 Step 12 Persistence via service and Run key tech_service_creation[“Technique – T1543.003 Create or Modify System Process: Windows Service
Creates a new Windows service that points to the malicious DLL.”] class tech_service_creation technique tech_run_key[“Technique – T1547.001 Registry Run Keys/Startup Folder
Writes a Run registry entry referencing the malicious DLL.”] class tech_run_key technique %% Connections u2013 Step 12 tech_snmp_dump –>|enables| tech_service_creation tech_snmp_dump –>|enables| tech_run_key %% Nodes u2013 Step 13 Hijack Execution Flow via Service Registry tech_hijack_service[“Technique – T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
Registers DLL under RemoteAccessRouterManagersIp (DllPath) and restarts service for autou2011execution.”] class tech_hijack_service technique %% Connection u2013 Step 13 tech_service_creation –>|uses| tech_hijack_service tech_run_key –>|also uses| tech_hijack_service %% Operators for logical grouping (optional) op_and1((“AND”)) class op_and1 operator %% Example logical flow grouping action_loader –>|leads to| op_and1 op_and1 –>|continues with| tech_proc_discovery “

Fluxo de Ataque

Simulação

Ainda estamos atualizando esta parte. Inscreva-se para ser notificado

Notifique-me

Junte-se à plataforma Detection as Code da SOC Prime para melhorar a visibilidade das ameaças mais relevantes para o seu negócio. Para ajudá-lo a começar e gerar valor imediato, agende uma reunião agora com os especialistas da SOC Prime.

Cadastre-se Gratuitamente