SmartApeSG is a social-engineering campaign distributed via compromised sites that tricks users into downloading a fake browser update, then delivers a two-stage PowerShell/JavaScript payload leading to NetSupport RAT. The operation uses a persistent, multi-stage workflow with decoy files, encoded payloads, and a remote C2 host, and has been observed on infrastructure now hosted by Stark Industries. #SmartApeSG #ZPHP #HANEYMANEY #NetSupportRAT #elvesofiax #psk777.casa #StarkIndustries #SocGholish
Keypoints
- Social engineering via fake browser updates is used to surface malware on compromised websites.
- The threat is named SmartApeSG (AKA ZPHP, HANEYMANEY) and is tied to the SmartApe hosting provider and SocGholish lineage.
- A JavaScript file in a ZIP is the main payload, while other files in the archive are noise to confuse defenses.
- The infection chain uses a two-stage scripting flow to invoke PowerShell and download the final payload.
- PowerShell retrieves a large Base64 payload which decodes to NetSupport RAT files and a persistent client executable.
- Persistence is achieved via a Run registry key, ensuring re-launch after reboot.
- IOC highlights include a malicious domain (elvesofiax[.]com), a secondary JavaScript URL (elvesofiax[.]com/cdn-vs/22per.php), and NetSupport RAT hosts (psk777[.]casa) with a C2 IP (94.158.245[.]103).
MITRE Techniques
- [T1189] Drive-by Compromise – Criminals inject code into compromised websites, which then present unsuspecting website users with malware downloads disguised as browser updates. Quote: “…present unsuspecting website users with malware downloads disguised as browser updates.”
- [T1204.002] User Execution: Malicious File – The file that victims will run is the JavaScript one, the others are there just for noise and to confuse security products. Quote: “The file that victims will run is the JavaScript one, the others are there just for noise and to confuse security products.”
- [T1059.001] PowerShell – In the background, PowerShell is used to download and execute the payload as client32.exe. Quote: “PowerShell command responsible for downloading and executing the payload as client32.exe (NetSupport RAT).”
- [T1059.007] JavaScript – The campaign relies on a JavaScript component loaded from the update, executed by the user. Quote: “The file that victims will run is the JavaScript one…”
- [T1105] Ingress Tool Transfer – The final payload is downloaded from a remote host during the infection chain. Quote: “The next steps in the infection process are for PowerShell to retrieve the final payload (NetSupport RAT) from the remote host psk777[casa].”
- [T1027] Obfuscated/Encoded Files or Information – A giant Base64 encoded string decodes to a zip archive containing the RAT. Quote: “giant (10.1MB) Base64 encoded string that decodes to a zip archive.”
- [T1140] Deobfuscate/Decode Files or Information – An online deobfuscator exposes the PowerShell command embedded in the payload. Quote: “Using an online deobfuscator, we can now expose the PowerShell command.”
- [T1547.001] Registry Run Keys/Startup Folder – Persistence is achieved via an autorun registry key. Quote: “Persistence achieved via an autorun registry key.”
Indicators of Compromise
- [Hash] 4cf69758cb191de3edc2030019c3bb0c56346de4e85b6badcce9aba8a23706fa – Sample hash used in the campaign.
- [Domain] elvesofiax[.]com – SmartApeSG infrastructure hosting and payload delivery.
- [IP] 45.150.65[.]147 – Associated infrastructure address.
- [URL/Path] elvesofiax[.]com/cdn-vs/22per.php – Second JavaScript delivery point for the campaign.
- [Domain] psk777[.]casa – NetSupport RAT host / C2 domain.
- [IP] 94.158.245[.]103 – NetSupport RAT C2 IP.
- [File] Update 124.0.6367.158.js – Main malicious JavaScript file executed by the victim.
- [File] client32.exe – NetSupport RAT payload binary executed after extraction.
Read more: https://www.threatdown.com/blog/smartapesg-06-11-2024/