Hackers Drop NetSupport RAT & StealC Malware on Your Windows Via Fake Browser Updates

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the threat actor group SmartApeSG, also known as ZPHP or HANEYMANEY.

This campaign exploits fake browser update notifications to deliver two potent malware strains: NetSupport RAT and StealC.

The operation leverages malicious scripts injected into compromised websites, redirecting victims to fraudulent pages designed to mimic legitimate browser update alerts.

The malicious activity originates from a script hosted on the domain cinaweine[.]shop, which serves various files, including JavaScript and images, to create a convincing fake browser update interface.

Victims are tricked into downloading a malicious JavaScript file named “Update 7673.js,” which acts as an installer for the NetSupport RAT.

The script downloads a ZIP archive containing the RAT from poormet[.]com.

Once extracted and executed, the RAT establishes communication with command-and-control (C2) servers, enabling attackers to remotely control infected systems.

NetSupport RAT and StealC: A Dual Threat

NetSupport RAT is a remote access tool that provides attackers with extensive control over compromised devices.

Post-infection traffic from the RAT includes communication with domains like geo.netsupportsoftware[.]com and IP addresses such as 194.180.191[.]229 over HTTPS.

The RAT is also used as a delivery mechanism for the StealC malware, which is sent via C2 traffic in a ZIP archive named “misk.zip.”

StealC employs DLL side-loading techniques to evade detection. It uses a legitimate Windows executable (mfpmp.exe) to load a malicious DLL (rtworkq.dll) that contains the inflated StealC payload.

This technique exploits trust in legitimate system files to bypass security measures.

Once operational, StealC communicates with its own C2 infrastructure, hosted on 62.164.130[.]69, for data exfiltration and additional payload delivery.

Technical Details of Malicious Files and Traffic

The malicious files involved in this campaign include:

• The installer script for NetSupport RAT (47f59d61beabd8f1dcbbdd190483271c7f596a277ecbe9fd227238a7ff74cbfc)
• A ZIP archive containing the RAT (b71f07964071f20aaeb5575d7273e2941853973defa6cb22160e126484d4a5d3)
• The StealC ZIP archive (e9eb934dad3f87ee581df72af265183f86fdfad87018eed358fb4d7f669e5b7d)

StealC further downloads legitimate third-party DLLs (e.g., sqlite3.dll, nss3.dll) from its C2 server to facilitate its operation.

These files are used during the infection process but are not inherently malicious.

This campaign highlights the evolving tactics of cybercriminals who exploit trust in software updates and legitimate files to deliver malware.

Users are advised to avoid downloading updates from unverified sources and ensure their systems are protected with updated security solutions.

Organizations should monitor network traffic for suspicious activity, such as communication with known malicious domains or IP addresses, and implement robust endpoint detection mechanisms to mitigate risks associated with these threats.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here