Close Menu
Most Read

Unidentified RAT targets NetSupport, employs stealthy intrusion techniques

Staff WriterBy No Comments2 Mins Read1 Views

Summary Points

  1. A persistent, encoded RAT communicates with a malicious C2 server at 89.110.110.119 on TCP port 443, originating from the SmartApeSG ClickFix campaign, enabling remote control and data exfiltration.
  2. The infection deploys a multi-stage payload, including zip archives, scripts, and CAB files, which establish persistence by installing the NetSupport RAT and deleting initial infection files.
  3. Indicators such as malicious URLs, IP addresses, file hashes, and unique script activity are dynamic, requiring continuous monitoring to detect and respond effectively to ongoing SmartApeSG activity.

Threat, Techniques, and Targets

The threat involves an unidentified Remote Access Trojan (RAT) followed by a NetSupport RAT package. The attack starts with a campaign called SmartApeSG ClickFix. The initial RAT communicates with a command and control (C2) server at IP 89.110.110[.]119 over TCP port 443. The traffic is encoded, not using HTTPS or SSL/TLS. Attackers use fake verification pages and malicious scripts. They send malicious files and scripts through domains like hiddenplanetlab[.]top and IP addresses such as 178.156.165[.]82. and 178.156.173[.]194. Additionally, they use a ZIP archive delivered from silverharvestnetwork[.]com, containing the initial RAT malware. The malware files include scripts and CAB files that help establish persistence and deploy the NetSupport RAT. Targets appear to be Windows hosts infected throughdownload links, scripts, or malicious files from these malicious servers.

Impact, Security, and Remediation

This threat can compromise affected Windows systems by providing attackers remote control capabilities. The malicious files and scripts can establish persistent access, enable data theft, or facilitate further malware deployment. The encoded C2 traffic makes detection difficult. Because the indicators such as domains and file hashes change daily, constant monitoring is necessary. Security teams should block known malicious domains and IP addresses. They should also scan for the specific files described. If infections are suspected, organizations should obtain remediation guidance from the relevant vendor or authority. It is essential to update security defenses and apply patches. For detailed removal steps and current indicators, consult the malware vendors or cybersecurity agencies.

Expand Your Tech Knowledge

Explore the future of technology with our detailed insights on Artificial Intelligence.

Discover archived knowledge and digital history on the Internet Archive.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.