Saturday, February 15, 2025
Homecyber securityBeware of SmartApeSG Campaigns that Deliver NetSupport RAT

Beware of SmartApeSG Campaigns that Deliver NetSupport RAT

Published on

SIEM as a Service

Follow Us on Google News

SmartApeSG, a FakeUpdate cyber threat, has emerged as a significant vector for delivering NetSupport RAT, a maliciously exploited remote administration tool.

The campaign ensnares victims by tricking them into downloading fake browser updates, ultimately enabling attackers to gain unauthorized access to infected systems.

A Web of Connections

Recent investigations examined SmartApeSG’s command-and-control (C2) infrastructure, revealing alarming cross-connections to NetSupport RAT servers, cryptocurrency scams, and other illicit activities.

Three C2 management nodes hosted in Moldova, powered by Stark Industries’ infrastructure and later transitioned to other providers, played a vital role in these campaigns.

These nodes leveraged control panel software like ISPManager for automation and management, exploiting free trials to minimize operational costs.

NetSupport RAT
ISPManager login page

Analysis extended beyond initial servers to uncover additional malicious infrastructure.

Notably, old NetSupport RAT servers from 2023 were still actively communicating with victims.

Strong overlaps in observed X.509 certificate characteristics tied SmartApeSG’s C2s to this RAT infrastructure, hinting at a shared threat actor or a tightly linked network of operations.

Pivoting Through Threat Actor Operations

Expanding the scope, telemetry data exposed numerous connections between SmartApeSG, NetSupport RAT, and even Quasar RAT, a separate remote administration tool.

Moldovan IPs linked to SmartApeSG were observed routing activity through proxies to conceal operations.

One management server also communicated with cryptocurrency-related services and Quasar RAT C2 nodes.

These intersections suggest organized, multifaceted threat actor campaigns targeting diverse systems for financial gain or extended control.

Further, active NetSupport RAT C2 servers showed consistent malicious activities months after earlier public disclosures, often associated with Russian-language darknet forums.

Some hosts exhibited atypical behavior, including using encrypted messaging platforms like Telegram or Jabber and accessing cryptocurrency scam-related websites.

NetSupport RAT
Fake UBSWebsite

The SmartApeSG and NetSupport RAT campaigns highlight the persistence and adaptability of modern cybercriminal operations.

According to Team Cymru Report, by reusing aged infrastructure and distributing their operations across a global network, these campaigns evade detection and remain operational even after takedown efforts.

Importantly, cybersecurity teams should frequently revisit “aged-out” indicators of compromise (IoCs) to identify reused infrastructure, emphasizing the importance of thorough investigation and proactive defense strategies.

While authorities have worked to dismantle components of the SmartApeSG and NetSupport RAT infrastructures, the threat actors behind these campaigns continue to evolve their tactics.

Users and organizations are advised to remain vigilant, especially against unexpected browser update prompts and phishing schemes.

Organizations can bolster defenses by implementing endpoint detection tools and monitoring telemetry for signs of potential RAT infections.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...