2025-07-15 (Tuesday): Tracking #SmartApeSG

The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site (same as yesterday):

- medthermography[.]com

URLs for ClickFix style fake verification page:

- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9

Running the script for NetSupport RAT:

- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773

#NetSupport RAT server (same as yesterday):

- 185.163.45[.]87:443

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443

Deploying NetSupport RAT via WordPress & ClickFix

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.

Pulse ID: 6870355e6a5f2386068698a0
Pulse Link: https://otx.alienvault.com/pulse/6870355e6a5f2386068698a0
Pulse Author: AlienVault
Created: 2025-07-10 21:49:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.

Pulse ID: 686ffe0f30bfbdfa037e4168
Pulse Link: https://otx.alienvault.com/pulse/686ffe0f30bfbdfa037e4168
Pulse Author: AlienVault
Created: 2025-07-10 17:53:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Malicious NetSupport Campaign Exploits WordPress Sites and User Clipboard

Pulse ID: 686c8a881b3707894eedd2b0
Pulse Link: https://otx.alienvault.com/pulse/686c8a881b3707894eedd2b0
Pulse Author: cryptocti
Created: 2025-07-08 03:03:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Obfuscated BAT file used to deliver NetSupport RAT

At the time of the analysis, the sample had not yet been submitted to #VirusTotal

See sandbox session: https://app.any.run/tasks/db6fcb53-6f10-464e-9883-72fd7f1db294?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_bat_file&utm_content=linktoservice&utm_term=050625

Execution chain:
cmd.exe (BAT) #PowerShell PowerShell #client32.exe (NetSupport client) reg.exe

Key details:
Uses a 'client32' process to run #NetSupport #RAT and add it to autorun in registry via reg.exe
Creates an 'Options' folder in %APPDATA % if missing
NetSupport client downloads a task .zip file, extracts, and runs it from %APPDATA%\Application .zip
Deletes ZIP files after execution

️ BAT droppers remain a common choice in attacks as threat actors continue to find new methods to evade detection.

Use #ANYRUN’s Interactive Sandbox to quickly trace the full execution chain and uncover #malware behavior for fast and informed response.

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Важко це визнавати, але рівень технічних спеціалістів серед провайдерів швидко падає.

І це я пишу не про провайдерів домосєток.

#webshell #opendir #netsupport #rat at:

https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

2024-12-24 (Tuesday)

#SmartApeSG infection chain starting with we-careu[.]xyz/work/original.js from compromised site.

Ends with #NetSupport #RAT using the same 194.180.191[.]64 C2 address we've seen since November.

2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html

NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

2024-12-13 (Friday): ww.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT

Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.

Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: https://urlscan.io/search/#best-net.biz

Those possibly compromised sites are:

- destinationbedfordva[.]com
- exceladept[.]com
- thefilmverdict[.]com
- thenapministry[.]com
- www.estatesale-finder[.]com
- www.freepetchipregistry[.]com

I haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.

#NetSupportRAT C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64

2024-12-11 (Wednesday): Zip archive containing #NetSupport #RAT (#NetSupportRAT) package hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zip

The C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: https://threatfox.abuse.ch/ioc/1346763/

Nothing new on the NetSupport side. I'm sure that hosting URL is part of an infection chain, but I don't know what's leading to it.

The Russian cybercrime group FIN7 ran a network of fake AI undressing sites that delivered credential stealing malware to those who uploaded pictures. I gotta say, this is one group of cybercrime victims that I don't feel sorry for.

https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

Want to know the ins and outs of how we craft detection for our customers? Our new blog series covers the technical research that goes into each and every @snort rule, IP block and more. First up, we're covering the #NetSupport RAT https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-rat/

Hoe fin7 malafide google ads gebruikt voor cyberaanvallen https://www.trendingtech.news/trending-news/2024/05/11195/hoe-fin7-malafide-google-ads-gebruikt-voor-cyberaanvallen #FIN7 #Cybersecurity #NetSupport RAT #Malafide Google Ads #Cyberaanvallen #Trending #News #Nieuws