SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th)
好的,我现在需要帮用户总结一篇文章的内容,控制在一百个字以内。用户提供的文章看起来是一篇关于网络攻击活动的日记,涉及多个恶意软件和攻击链。 首先,我需要快速浏览文章,抓住关键点。文章提到了SmartApeSG活动使用ClickFix技术,投放了Remcos RAT、NetSupport RAT、StealC和Sectop RAT等恶意软件。时间线显示这些恶意软件在短时间内依次出现。 接下来,用户要求总结在100字以内,并且不要以“文章内容总结”开头。因此,我需要简洁明了地描述攻击链和涉及的恶意软件。 可能的结构是:SmartApeSG活动通过ClickFix技术分阶段投放多种恶意软件,包括Remcos RAT、NetSupport RAT、StealC和Sectop RAT,每个阶段间隔不同时间。 最后,检查字数是否符合要求,并确保信息准确无误。 </think> SmartApeSG活动通过ClickFix技术分阶段投放多种恶意软件,包括Remcos RAT、NetSupport RAT、StealC和Sectop RAT,每个阶段间隔不同时间。 2026-3-25 01:1:37 Author: isc.sans.edu(查看原文) 阅读量:14 收藏

Introduction

This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. This past week, I've seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and Sectop RAT (ArecheClient2) after NetSupport RAT appeared on my infected lab host.

Not all of the follow-up malware appears shortly after the initial Remcos RAT malware. Here's the timeline for malware from my SmartApeSG activity on Tuesday 2026-03-24:

  • 17:11 UTC - Ran ClickFix script from SmartApeSG fake CAPTCHA page
  • 17:12 UTC - Remcos RAT post-infection traffic starts
  • 17:16 UTC - NetSupport RAT post-infection traffic starts
  • 18:18 UTC - StealC post-infection traffic starts
  • 19:36 UTC - Sectop RAT post-infection traffic starts

While the NetSupport RAT activity happened approximately 4 minutes after the Remcos RAT activity, the StealC traffic didn't happen until approximately 1 hour after the NetSupport RAT activity started. And the traffic for Sectop RAT happened approximately 1 hour and 18 minutes after the StealC activity started.

Images from the infection


Shown above: Page from a legitimate but compromised website with injected script for the fake CAPTCHA page.


Shown above: Fake CAPTCHA page with ClickFix instructions. This image shows the malicious script injected into a user's clipboard.


Shown above: Traffic from the infection filtered in Wireshark.

Indicators of Compromise

Associated domains and IP addresses:

  • fresicrto[.]top - Domain for server hosting fake CAPTCHA page
  • urotypos[.]com - Called by ClickFix instructions, this domain is for a server hosting the initial malware
  • 95.142.45[.]231:443 - Remcos RAT C2 server
  • 185.163.47[.]220:443 - NetSupport RAT C2 server
  • 89.46.38[.]100:80 - StealC C2 server
  • 195.85.115[.]11:9000 - Sectop RAT (ArechClient2) C2 server

Example of HTA file retrieved by ClickFix script:

  • SHA256 hash: 212d8007a7ce374d38949cf54d80133bd69338131670282008940f1995d7a720
  • File size: 47,714 bytes
  • File type: HTML document text, ASCII text, with very long lines (6272)
  • Retrieved from: hxxps[:]//urotypos[.]com/cd/temp
  • Saved location: C:\Users\[username]\AppData\Local\post.hta
  • Note: ClickFix script deletes the file after retrieving and running it

Example of ZIP archive for Remcos RAT retrieved by the above HTA file:

ZIP archive containing NetSupport RAT package:

RAR archive for StealC package:

RAR archive for Sectop RAT (ArechClient2) package:

Final words

The archive files for Remcos RAT, StealC and Sectop RAT are packages that use legitimate EXE files to side-load malicious DLLs (a technique called DLL side-loading). The NetSupport RAT package is a legitimate tool that's configured to use an attacker-controlled server.

As always, the files, URLs and domains for SmartApeSG activity change on a near-daily basis. And names of the HTA file and ZIP archive for Remcos RAT are different for each infection. The indicators described in this article may no longer be current as you read this. However, this activity confirms that the SmartApeSG campaign can push a variety of malware after an initial infection.

---
Bradley Duncan
brad [at] malware-traffic-analysis.net


文章来源: https://isc.sans.edu/diary/rss/32826
如有侵权请联系:admin#unsafe.sh