SmartApeSG and NetSupportRAT Malware Analysis: A Deep Dive into Compromised Websites and Malicious Traffic

By /

Listen to this Post

During an investigation into the SmartApeSG campaign, it was discovered that legitimate websites were compromised and injected with malicious scripts. These scripts redirected users to a fake browser update page, which mimicked a Microsoft Edge update prompt. Upon interaction, the page distributed NetSupportRAT malware, followed by StealC malware for additional data exfiltration.

Key Findings:

  1. Fake Browser Update Page: The malicious page was designed to trick users into downloading a fake browser update, which was actually NetSupportRAT malware.
  2. Network Traffic Analysis: Wireshark was used to analyze the network traffic, revealing HTTP requests to domains associated with NetSupport Inc. and StealC command-and-control (C2) servers.
  3. Malware Configuration: The NetSupportRAT malware created a persistent presence on infected Windows hosts, with a configuration file pointing to the C2 server.

Practice-Verified Commands and Codes:

1. Wireshark Filter for Malicious Traffic:

http.request.method == "POST" && http.host contains "netsupport"

This filter helps identify POST requests to domains associated with NetSupportRAT.

2. Detecting Persistent Malware on Windows:

reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This command checks the Windows registry for persistent entries that may indicate malware.

3. Analyzing Malware with PowerShell:

Get-Process | Where-Object { $_.Path -like "*netsupport*" } | Stop-Process -Force

This PowerShell command identifies and terminates processes related to NetSupportRAT.

4. Extracting Malware Configuration:

strings NetSupportRAT.exe | grep -i "C2"

This command extracts strings from the malware binary to identify the C2 server address.

5. Blocking Malicious Domains with Firewall:

netsh advfirewall firewall add rule name="Block NetSupport C2" dir=out action=block remoteip=192.168.1.100

This command blocks outgoing traffic to the identified C2 server IP.

What Undercode Say:

The SmartApeSG campaign highlights the increasing sophistication of cybercriminals in leveraging compromised websites to distribute malware. The use of fake browser update pages is a common social engineering tactic, and the subsequent deployment of NetSupportRAT and StealC demonstrates the multi-stage nature of modern attacks. To mitigate such threats, organizations should:

  • Regularly monitor network traffic using tools like Wireshark.
  • Implement endpoint detection and response (EDR) solutions to identify and block malicious processes.
  • Educate users about the dangers of fake update prompts and social engineering.
  • Use firewalls to block known malicious IPs and domains.

For further reading on malware analysis and network traffic investigation, visit:
Malware Traffic Analysis
Palo Alto Networks Unit 42

By combining technical defenses with user education, organizations can significantly reduce the risk of falling victim to such campaigns.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: