Financially motivated threat operation GrayCharlie, which overlaps with SmartApeSG, has leveraged compromised WordPress sites belonging to U.S. law firms to deploy the NetSupport RAT, Stealc, and SectopRAT payloads as part of a supply chain attack campaign, reports GBHackers News.Multiple law firm sites believed to have been breached through a shared IT or marketing provider were injected with links to externally hosted JavaScript that divert to bogus browser update pages or fake CAPTCHAs luring targets into executing a PowerShell command through the Windows Run dialog, both of which lead to the installation of NetSupport RAT, according to an analysis from Recorded Future's Insikt Group.GrayCharlie, whose attack infrastructure is supported by MivoCloud and HZ Hosting Ltd., then harnesses the connection between NetSupport RAT and its command-and-control servers for surveillance, file operations, and the delivery of the Stealc infostealer and SectopRAT malware. Mitigating the threat posed by GrayCharlie requires not only blocking NetSupport RAT, Stealc, and SectopRAT-associated IP addresses and domains but also the implementation of updated YARA, Sigma, and Snort rules, as well as more stringent email and web filtering mechanisms, researchers said.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds