2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.
The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.
A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html
Detected #SmartApeSG infection chain
Compromised site
-->
gmt-a[.]shop/files/original.js (injected)
-->
gmt-a[.]shop/files/index.php (fakeupdate)
-->
gmt-a[.]shop/files/fill.php
-->
sundreammedia[.]com/HTCTL32.zip (zip)
-->
194[.]180.191.17:443 (NetSupport, DCVTTTUUEEW23, NSM896597)
d659315ca90d8f2e61b4fdc624b2f34d57dc5ccdd024e402088e3b7ffe6d45fa HTCTL32.zip
Detected #SmartApeSG infection chain
Compromised site
-->
searchweb[.]top/work/original.js (injected)
-->
searchweb[.]top/work/index.php (fakeupdate)
-->
searchweb[.]top/work/up.php
-->
experiments.autoblogging[.]ai/nsm_vpro.zip (zip)
-->
194[.]180.191.229:443 (NetSupport, DCVTTTUUEEW23, NSM896597)
1d016c7c7f1420749bb5d7c1d265ff7bebc59f0cc4aa487e546d7eed7ea0154b nsm_vpro.zip
Social media post I wrote for my employer at https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/
and https://x.com/Unit42_Intel/status/1892229005702471868
2025-02-18 (Tuesday): Legitimate but compromised websites with an injected script for #SmartApeSG lead to a fake browser update page that distributes #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt
A #pcap from the infection traffic, the associated malware, and other info are available at https://malware-traffic-analysis.net/2025/02/18/index.html
2024-12-24 (Tuesday)
#SmartApeSG infection chain starting with we-careu[.]xyz/work/original.js from compromised site.
Ends with #NetSupport #RAT using the same 194.180.191[.]64 C2 address we've seen since November.
2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.
Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.
A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html
NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.
![Screenshot of the browser window for a fake update page after visiting a compromised website at banks-canada[.]com.](https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/666/444/811/411/113/original/7f605f1d7013f88e.jpg "Screenshot of the browser window for a fake update page after visiting a compromised website at banks-canada[.]com.")
![Example of SmartApeSG injected script highlighted in orange in HTML code from a page from the compromised site. The URL from this injected script is hxxps[:]//depostsolo[.]biz/work/original.js](https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/666/447/779/724/660/original/c0b5133841a005c7.jpg "Example of SmartApeSG injected script highlighted in orange in HTML code from a page from the compromised site. The URL from this injected script is hxxps[:]//depostsolo[.]biz/work/original.js")
![Traffic from an infection filtered in Wireshark showing the NetSupport RAT post-infection traffic to 194.180.191[.]64 over TCP port 443. All of the SmartApeSG and fake browser update page traffic prior to the NetSupport RAT activity is over HTTPS.](https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/666/452/625/253/764/original/aed1a95f79fb8e02.jpg "Traffic from an infection filtered in Wireshark showing the NetSupport RAT post-infection traffic to 194.180.191[.]64 over TCP port 443. All of the SmartApeSG and fake browser update page traffic prior to the NetSupport RAT activity is over HTTPS.")
![The NetSupport RAT installation persistent on an infected Windows host. Shows the Windows registry entry for persistence and the associated NetSupport RAT files. The file are located in a hidden directory at C:\ProgramData\cvkfkmt\ with the NetSupport RAT executable client32.exe using client32.ini for its configuration to use the malicious C2 server at 194.180.191[.]64.](https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/666/458/260/598/864/original/879056f90196c176.jpg "The NetSupport RAT installation persistent on an infected Windows host. Shows the Windows registry entry for persistence and the associated NetSupport RAT files. The file are located in a hidden directory at C:\ProgramData\cvkfkmt\ with the NetSupport RAT executable client32.exe using client32.ini for its configuration to use the malicious C2 server at 194.180.191[.]64.")
2024-12-13 (Friday): ww.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT
Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.
Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: https://urlscan.io/search/#best-net.biz
Those possibly compromised sites are:
- destinationbedfordva[.]com
- exceladept[.]com
- thefilmverdict[.]com
- thenapministry[.]com
- www.estatesale-finder[.]com
- www.freepetchipregistry[.]com
I haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.
#NetSupportRAT C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64
Ah, found the source of it as a #SmartApeSG infection chain.
Detected #SmartApeSG infection chain
Compromised site
-->
modandcrackedapk[.]com/work/original.js (injected)
-->
modandcrackedapk[.]com/work/index.php (fakeupdate)
-->
modandcrackedapk[.]com/work/fix2.php
-->
modandcrackedapk[.]com/work/xxx.zip (zip)
-->
194[.]180.191.64:443 (NetSupport, XMLCTL, NSM303008)
b8f58a72f7d2733a07ac05eaa82da598ebc0ececfe3dbc21de5ca7d13cb8af4b xxx.zip
New #zphp / #SmartApeSG domain:
bazar50[.]com
More new #zphp / #SmartApeSG domains:
aljannatquranteach[.]com
bbsupplyandsalon[.]com
betsmovepiyango47[.]com
bigcuda[.]com
eduvationgroup[.]com
eoskinec[.]com
ezwhatsappp[.]com
growcalm[.]com
grupodistribuidora[.]com
Observed #SmartApeSG infection chain in the wild this morning, noticed a new NetSupport delivery domain as well as the new injected domain found by @N3utralZ0ne last night.
victim site
->
proexbit[.]com/cdn-vs/get.php (injecteD)
->
proexbit[.]com/cache/qzwewmrqqgqnaww.php? (fake update)
->
proximaideia[.]com/GetData.php?14797 (base64 zip)
->
5.181.156[.]235:443 (NetSupport, HANEYMANEY C2)
Fake Chrome update (#SmartApeSG). Threat actor packaged 10 malicious scripts for good measure.
blob:https://magydostravel[.]com/0d08ed5a-ce75-4ca6-b9f6-2593115ab032
seosuccesslab[.]com/cdn/wds.min.php
Payload (NetSupportRAT)
mangoairsoft[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/
