Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension

SectopRAT, also known as Arechclient2, is a sophisticated Remote Access Trojan (RAT) developed using the .NET framework.

This malware is notorious for its advanced obfuscation techniques, making it challenging to analyze and detect.

Recently, cybersecurity researchers uncovered a new campaign where sectopRAT disguises itself as a legitimate Google Chrome extension named “Google Docs,” further amplifying its stealth and data-theft capabilities.

Advanced Obfuscation and Capabilities

SectopRAT employs the calli obfuscator, a technique that significantly complicates static analysis.

Despite attempts to deobfuscate the code using tools like CalliFixer, the malware’s core functionalities remain concealed.

However, through partial decompilation, researchers identified its extensive capabilities, which include:

• Stealing browser data such as cookies, saved passwords, autofill information, and encrypted keys.
• Profiling victim systems by collecting details about hardware, operating systems, and installed software.
• Targeting applications like VPNs (NordVPN, ProtonVPN), game launchers (Steam), and communication platforms (Telegram, Discord).
• Scanning for cryptocurrency wallets and FTP credentials.

sectopRAT’s ability to exfiltrate sensitive information highlights its dual role as both an infostealer and a remote control tool.

According to an analysis, it communicates with its Command and Control (C2) server using encrypted channels, typically over ports 9000 and 15647.

Malicious Chrome Extension Disguise

One of the most alarming aspects of this campaign is sectopRAT’s use of a fake Google Chrome extension masquerading as “Google Docs.”

Upon infection, the malware downloads files such as manifest.json, content.js, and background.js from its C2 server.

These files enable the extension to:

• Inject malicious scripts into all visited web pages.
• Capture user inputs like usernames, passwords, credit card details, and form data.
• Transmit stolen data to the attacker’s C2 server.

The extension operates under the guise of providing offline editing capabilities for Google Docs but instead functions as a sophisticated keylogger and data exfiltration tool.

Key IoCs associated with this campaign include:

• File Hash: EED3542190002FFB5AE2764B3BA7393B
• C2 Servers: 91.202.233.18 on ports 9000 and 15647
• Malicious URLs: http://91.202.233[.]18/wbinjget?q=... and https://pastebin.com/raw/wikwTRQc
• Mutex Name: 49c5e6d7577e447ba2f4d6747f56c473

sectopRAT’s ability to mimic legitimate software while evading detection poses a significant threat to individuals and organizations alike.

The malware’s anti-analysis features, such as anti-virtual machine mechanisms and encrypted C2 communication, make it particularly elusive.

To mitigate risks:

1. Block network traffic to identified C2 servers.
2. Monitor for suspicious file activity in directories like %AppData%/Local/llg.
3. Remove unknown or suspicious Chrome extensions.
4. Employ behavioral-based threat detection systems.
5. Restrict execution of untrusted .NET applications.

This campaign underscores the evolving tactics of cybercriminals in leveraging trusted platforms like browsers to deploy highly evasive malware.

Enhanced vigilance and proactive security measures are essential to combat such threats effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free