2026-01-22: SmartApeSG uses ClickFix technique to push Remcos RAT

2026-01-22: SmartApeSG uses ClickFix technique to push Remcos RAT
好的，我现在需要帮用户总结一篇文章的内容，控制在100个字以内。用户的要求是直接写文章描述，不需要以“文章内容总结”或“这篇文章”这样的开头。首先，我仔细阅读了用户提供的文章内容。文章主要讲述了SmartApeSG活动利用ClickFix技术传播Remcos RAT的情况。里面提到了攻击时间、使用的技术、恶意软件的传播方式以及相关的文件信息和网络活动。接下来，我需要提取关键信息：活动名称、技术手段、传播的恶意软件类型、攻击时间、使用的站点以及恶意软件的特征。同时，要注意保持语言简洁，不超过100个字。然后，我组织语言，确保信息完整且符合要求。例如，“SmartApeSG活动利用ClickFix技术传播Remcos RAT，于2026年1月22日通过合法但被黑网站分发恶意软件。”这样既涵盖了主要事件，又符合字数限制。最后，检查是否有遗漏的重要信息，并确保语句通顺。确认无误后，将总结内容提供给用户。 </think> SmartApeSG活动利用ClickFix技术传播Remcos RAT，于2026年1月22日通过合法但被黑网站分发恶意软件。 2026-1-29 02:6:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:1 收藏

2026-01-22 (THURSDAY): SMARTAPESG CAMPAIGN USES CLICKFIX TECHNIQUE TO PUSH REMCOS RAT

NOTICE:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2026-01-22-IOCs-from-SmartApeSG-ClickFix-pushing-Remcos-RAT.txt.zip 1.9 kB (1,182 bytes)
2026-01-22-HTML-from-SmartApeSG-HTTPS-traffic.zip 221.0 kB (220,954 bytes)
2026-01-22-SmartApeSG-ClickFix-pushes-Remcos-RAT.pcap.zip 43.3 MB (43,345,489 bytes)
2026-01-22-malware-from-SmartApeSG-Remcos-RAT-infection.zip 30.0 MB (30,044,873 bytes)

2026-01-22 (THURSDAY): SMARTAPESG CAMPAIGN USES CLICKFIX TECHNIQUE TO PUSH REMCOS RAT

DATE/TIME OF THE ACTIVITY:

- Thursday, 2026-01-22 at 16:07 UTC

LEGITIMATE BUT COMPROMISED SITE:

- [information removed]

TRAFFIC FOR FAKE CAPTCHA PAGE WITH CLICKFIX INSTRUCTIONS:

- hxxps[:]//flautister[.]com/handler/dashboard-response.js
- hxxps[:]//flautister[.]com/handler/session-component.php?up3RnHUO
- hxxps[:]//flautister[.]com/handler/auth-controller.js?d9b76f54867060111b

INITIAL TRAFFIC GENERATED BY RUNNING CLICKFIX SCRIPT INJECTED INTO CLIPBOARD:

- hxxp[:]//98.142.251[.]63/con
- hxxps[:]//oilporter[.]com/con
- hxxp[:]//98.142.251[.]63/currency
- hxxps[:]//oilporter[.]com/currency

REMCOS RAT PACKAGE:

- SHA256 hash: 0f7d358f3a96d7f185be26a349ec16dfb75bde1bda8312945931d69b472d950e
- File size: 30,042,433 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File location: hxxps[:]//oilporter[.]com/currency
- Example of saved location: C:\Users\[username]\AppData\Local\Temp\2120206.pdf
- File description: Zip archive containing files for Remcos RAT

FILE RUN FROM REGISTRY UPDATE FOR PERSISTENCE:

- C:\Users\[username]\AppData\Local\2120206\shotcut.exe

- Note: shotcut.exe is a legitimate file, but it side-loads DLL files or other content extracted from the zip archive.

POST-INFECTION TRAFFIC FOR REMCOS RAT C2 ACTIVITY:

- 109.172.91[.]23:443 - HTTPS traffic

IMAGES

Shown above: Example of a legitimate but compromised site showing the SmartApeSG fake CAPTCHA page.

Shown above: Traffic from an infection filtered in Wireshark.

Shown above: Remcos RAT infection persistent on an infected Windows host.

Click here to return to the main page.

文章来源: https://www.malware-traffic-analysis.net/2026/01/22/index.html
如有侵权请联系:admin#unsafe.sh