2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Detected #SmartApeSG infection chain

Compromised site
-->
gmt-a[.]shop/files/original.js (injected)
-->
gmt-a[.]shop/files/index.php (fakeupdate)
-->
gmt-a[.]shop/files/fill.php
-->
sundreammedia[.]com/HTCTL32.zip (zip)
-->
194[.]180.191.17:443 (NetSupport, DCVTTTUUEEW23, NSM896597)

d659315ca90d8f2e61b4fdc624b2f34d57dc5ccdd024e402088e3b7ffe6d45fa HTCTL32.zip

Detected #SmartApeSG infection chain

Compromised site
-->
searchweb[.]top/work/original.js (injected)
-->
searchweb[.]top/work/index.php (fakeupdate)
-->
searchweb[.]top/work/up.php
-->
experiments.autoblogging[.]ai/nsm_vpro.zip (zip)
-->
194[.]180.191.229:443 (NetSupport, DCVTTTUUEEW23, NSM896597)

1d016c7c7f1420749bb5d7c1d265ff7bebc59f0cc4aa487e546d7eed7ea0154b nsm_vpro.zip

Social media post I wrote for my employer at https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/
and https://x.com/Unit42_Intel/status/1892229005702471868

2025-02-18 (Tuesday): Legitimate but compromised websites with an injected script for #SmartApeSG lead to a fake browser update page that distributes #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt

A #pcap from the infection traffic, the associated malware, and other info are available at https://malware-traffic-analysis.net/2025/02/18/index.html

2024-12-24 (Tuesday)

#SmartApeSG infection chain starting with we-careu[.]xyz/work/original.js from compromised site.

Ends with #NetSupport #RAT using the same 194.180.191[.]64 C2 address we've seen since November.

2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html

NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

2024-12-13 (Friday): ww.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT

Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.

Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: https://urlscan.io/search/#best-net.biz

Those possibly compromised sites are:

- destinationbedfordva[.]com
- exceladept[.]com
- thefilmverdict[.]com
- thenapministry[.]com
- www.estatesale-finder[.]com
- www.freepetchipregistry[.]com

I haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.

#NetSupportRAT C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64

Detected #SmartApeSG infection chain

Compromised site
-->
berrebyre[.]com/cdn-vs/original.js (injected)
-->
berrebyre[.]com/cdn-vs/main.php (fakeupdate)
-->
hXXp://berrebyre[.]com/cdn-vs/22per.php
-->
hXXp://2n8rd3zz1[.]top/data.php (base64 zip)
-->
194[.]180.191.69:443 (NetSupport, XMLCTL, NSM303008)

7ce8956d14f706690fa4af7db0b86f4da8ba1a932c30d802ae26d9517b948a87 CCleaner.zip