Threat Research

GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack

RecordedFuture
GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack

GrayCharlie, active since mid-2023 and overlapping with SmartApeSG, compromises WordPress sites to inject externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix lures, often resulting in Stealc and SectopRAT follow-on deployments. Insikt Group mapped extensive infrastructure tied to MivoCloud and HZ Hosting Ltd, identified multiple NetSupport RAT C2 clusters and staging domains, and observed a likely supply‑chain compromise impacting numerous US law firm websites. #GrayCharlie #NetSupportRAT

Keypoints

  • GrayCharlie injects malicious JavaScript into compromised WordPress sites to redirect visitors to fake browser updates or ClickFix lures that deliver NetSupport RAT, with observed follow-on use of Stealc and SectopRAT.
  • Insikt Group identified two primary NetSupport RAT clusters (Cluster 1 and Cluster 2) and multiple additional C2 servers, largely hosted by MivoCloud and associated with recurring TLS naming and license/serial patterns.
  • Staging infrastructure uses recurring website templates (“Wiser University” and “Activitar”) and numerous domains/IPs; many staging IPs are announced by AS202015 (HZ Hosting Ltd).
  • GrayCharlie’s attack chains include (1) user-executed fake browser updates that spawn PowerShell staging and download NetSupport, and (2) ClickFix lures that copy commands to the clipboard for user-pasted execution via Win+R.
  • At least fifteen US law firm websites were observed loading the same malicious JavaScript (persistancejs[.]store), suggesting a possible supply‑chain compromise involving SMB Team or shared hosting/plugin vulnerabilities.
  • Mitigations recommended include blocking known C2 IPs/domains, flagging compromised websites, deploying YARA/Snort/Sigma detection rules, email filtering, and monitoring for data exfiltration.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Actors likely exploited vulnerable WordPress plugins or purchased access to compromise sites (‘exploit vulnerable WordPress plugins’).
  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – Malicious JavaScript was injected into the DOM of WordPress sites and executed as user-run loaders (‘injects malicious JavaScript into the Document Object Model (DOM) of compromised WordPress sites’).
  • [T1059.005 ] Command and Scripting Interpreter: PowerShell – JavaScript launched wscript.exe which spawned PowerShell to fetch and decode staged payloads (‘The JavaScript launches wscript.exe, which spawns powershell.exe. PowerShell reaches out to a remote host to fetch an obfuscated JavaScript containing encoded tasking’).
  • [T1105 ] Ingress Tool Transfer – The actor downloaded ZIP archives containing NetSupport RAT clients and supporting DLLs to victim profiles (‘downloads the actual payload ZIP archive. This archive contains a complete NetSupport RAT client set, including client32.exe and required DLLs’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence was achieved by creating Windows Run registry keys to autostart client32.exe at logon (‘Registry Run key persistence’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – NetSupport RAT C2 and other communications were administered over TCP/443 (HTTPS) for C2 connectivity (‘GrayCharlie manages its NetSupport RAT C2 servers over TCP port 443’).
  • [T1566 ] Phishing – Initial redirect vectors include phishing emails, malicious PDFs, and links that lead victims to compromised WordPress pages hosting the malicious JavaScript (‘Phishing emails, malicious PDFs, or links on gaming sites direct users to compromised WordPress pages’).
  • [T1090 ] Proxy – Operators relied extensively on proxy services to administer infrastructure, obscuring management traffic (‘GrayCharlie relies extensively on proxy services to administer its infrastructure’).
  • [T1021.004 ] Remote Services: SSH – Higher-tier staging infrastructure was administered primarily over SSH (‘GrayCharlie administers its staging infrastructure primarily over SSH’).
  • [T1204 ] User Execution – ClickFix lures and fake update prompts use social engineering to get users to execute commands or run JavaScript (e.g., copying a command to the clipboard and instructing paste into Run) (‘presents a fake CAPTCHA that quietly copies a malicious command to the user’s clipboard and instructs them to paste it into the Windows Run dialog (Win+R)’).

Indicators of Compromise

  • [IP Addresses ] NetSupport RAT C2 and staging infrastructure – examples: 5[.]181[.]159[.]60 (Cluster 1 NetSupport C2), 5[.]181[.]159[.]112 (Cluster 2 NetSupport C2), and many other C2/staging IPs listed in Appendix A.
  • [Domains ] Staging and malicious JavaScript hosts – examples: persistancejs[.]store (hosted malicious original.js used by law firm compromises), joiner[.]best (used to host work/original.js), and other staging domains such as signaturepl[.]com, filmlerzltyazilimsx[.]shop.
  • [File Hashes ] Malware samples observed – examples: NetSupport RAT SHA256 31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c, Sectop RAT SHA256 59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78, and numerous other hashes listed in Appendix A.
  • [File Names ] Deployed payloads and artifacts – examples: client32.exe (NetSupport RAT client extracted to %AppData%), ‘Merge XML Files’ executable (signed Vovsoft binary used in sideloading), plus decoy .dat files in ZIP archives.
  • [Email Address ] Threat actor registration/contact – example: oreshnik[@]mailum[.]com (linked to filmlerzltyazilimsx[.]shop WHOIS and other domains).

Read more: https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack