2025-12-29: ClickFix activity leads to NetSupport RAT

2025-12-29: ClickFix activity leads to NetSupport RAT
文章描述了ClickFix活动通过Google Sites链接分发NetSupport RAT恶意软件的过程。初始链接曾传播Koi Loader，后转向不同恶意软件。当前链接引导至假CAPTCHA页面并显示ClickFix指令，最终下载包含NetSupport RAT的RAR包。 2025-12-29 22:20:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:0 收藏

2025-12-29 (MONDAY): CLICKFIX ACTIVITY FOR NETSUPPORT RAT

ASSOCIATED FILES:

2025-12-29-IOCs-for-ClickFix-activity-sending-NetSupport-RAT.txt.zip 1.3 kB (1,291 bytes)
2025-12-29-ClickFix-page-sends-NetSupportRAT.pcap.zip 31.1 MB (31,083,644 bytes)
2025-12-29-NetSupport-RAT-malware.zip 4.2 MB (4,216,672 bytes)

2025-12-29 (MONDAY): CLICKFIX ACTIVITY FOR NETSUPPORT RAT

NOTES:

- The initial URLs from sites.google[.]com previously distributed Koi Loader/Koi Stealer until as recently as July 2025.
- Sometime after that, these initial sites.google[.]com URLs started leading to different malware.
- In this example, they lead to a fake CAPTCHA page with ClickFix style instructions for NetSupport RAT.

EXAMPLES OF INITIAL URLS FROM VIRUSTOTAL:

NO LONGER ACTIVE:

- hxxps[:]//sites.google[.]com/view/web3dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=9023475618
- hxxps[:]//sites.google[.]com/view/web3dropbox/samsung-s22?sharefile=eStatement_12_2025.pdf&hid=6849201008

STILL ACTIVE AS OF 2025-12-29:

- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=8432105697
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=3445732677
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=7345891204
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=7856341209
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=6549032187
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=8459301276
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=6451230987
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=6409123785
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=7801234596
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=5901234876
- hxxps[:]//sites.google[.]com/view/webview5dropbox/samsung-s22?sharefile=Estatament_12_2025.pdf&hid=5607893412

ABOVE PAGES LEAD TO THE FOLLOWING CHAIN:

- hxxps[:]//ivanstonework[.]com/  <-- 302 redirect
- hxxps[:]//extracareliving[.]com/  <-- fake CAPTCHA page with ClickFix instructions

TRAFFIC FROM RUNNING CLICKFIX TEXT FROM FAKE CAPTCHA PAGE:

- hxxp[:]//80.253.249[.]145/wwww.txt
- hxxp[:]//80.253.249[.]145/F.GRE

NETSUPPORT RAT C2 TRAFFIC (HTTP POST REQUESTS):

- DNS query for relativegoingplanning[.]net
- 185.39.19[.]96:443 - POST hxxp[:]//185.39.19[.]96/fakeurl.htm  <-- repeats

- NOTE: The C2 traffic contains an HTTP post request to 104.21.96[.]46, but that's a Cloudflare IP address for
        relativegoingplanning[.]net that only happened once at the start. 104.21.96[.]46 is not the actual C2
        server.

RAR ARCHIVE CONTAINING MALICIOUS NETSUPPORT RAT PACKAGE:

- SHA256 hash: b307ac3b95e5ab4bcbff92816d1f361950e6b41abeb960dcd983f3b18512f7a0
- File size: 1,903,624 bytes
- File type: RAR archive data, v5
- File location: C:\Users\Public\bKp7gb7dSo\2.rar

IMAGES

Shown above: Example of an initial URL on sites.google[.]com.

Shown above: After checking the box, we get a fake CAPTCHA page.

Shown above: ClickFix instructions from the fake CAPTCHA page.

Shown above: Traffic from the infection filtered in Wireshark.

Shown above: NetSupport RAT persistent on an infected host.

Click here to return to the main page.

文章来源: https://www.malware-traffic-analysis.net/2025/12/29/index.html
如有侵权请联系:admin#unsafe.sh