Легальные, но скомпрометированные веб-сайты с внедренным скриптом SmartApeSG ведут на фальшивую страницу обновления браузера, распространяющую вредоносную программу NetSupportRAT.
Во время заражения Palo Alto так же обнаружили распространение StealC.
Indicators of Compromise
IPv4
- 194.180.191.229
URLs
- http://194.180.191.229/fakeurl.htm
- http://62.164.130.69/
- http://62.164.130.69/16fcfdf0c5b3315a/freebl3.dll
- http://62.164.130.69/16fcfdf0c5b3315a/mozglue.dll
- http://62.164.130.69/16fcfdf0c5b3315a/msvcp140.dll
- http://62.164.130.69/16fcfdf0c5b3315a/nss3.dll
- http://62.164.130.69/16fcfdf0c5b3315a/softokn3.dll
- http://62.164.130.69/16fcfdf0c5b3315a/sqlite3.dll
- http://62.164.130.69/16fcfdf0c5b3315a/vcruntime140.dll
- http://62.164.130.69/651b5330b08aff3e.php
- http://geo.netsupportsoftware.com/location/loca.asp
- https://cinaweine.shop/work/assets/css/index.css
- https://cinaweine.shop/work/assets/img/edge-bg.png
- https://cinaweine.shop/work/assets/img/hero-img_desktop%203.png
- https://cinaweine.shop/work/assets/img/microsoft.png
- https://cinaweine.shop/work/assets/js/index.js
- https://cinaweine.shop/work/index.php?
- https://cinaweine.shop/work/original.js
- https://poormet.com/lol.zip?&files=5606
SHA256
- 021bb478b704abb95ac2040061b7d47d8e4b491e6d2633adb010c3b8b08bb4f4
- 47f59d61beabd8f1dcbbdd190483271c7f596a277ecbe9fd227238a7ff74cbfc
- b71f07964071f20aaeb5575d7273e2941853973defa6cb22160e126484d4a5d3
- e9eb934dad3f87ee581df72af265183f86fdfad87018eed358fb4d7f669e5b7d
- ff7e8ccc41bc3a506103bdd719a19318bf711351ac0e61e1f1cf00f5f02251d5
