The SmartApeSG campaign, also known as ZPHP or HANEY MANEY, continues to evolve its attack methods to compromise Windows systems with malicious remote access tools.
First reported in June 2024, this campaign has shifted from using fake browser update pages to deploying sophisticated ClickFix-style techniques.
The new approach tricks users into thinking they need to verify their identity through a fake CAPTCHA page, making the attack more deceptive and harder to detect.
The campaign primarily targets users who visit compromised websites displaying hidden malicious scripts. When certain conditions are met, these scripts activate and present users with a fake “verify you are human” box.
Injected SmartApeSG script in a page from the compromised site (Source – Internet Storm Center)
The attackers use this clever technique to bypass user suspicion and trick them into taking actions that lead to malware installation.
Once activated, the fake CAPTCHA page initiates a chain of events designed to install NetSupport RAT on the victim’s computer.
Fake CAPTCHA page displayed by the compromised site (Source – Internet Storm Center)
This remote access tool gives attackers complete control over infected machines, allowing them to steal data, monitor activity, and deploy additional malware.
Internet Storm Center security analysts identified that the attack works by injecting malicious content directly into a user’s clipboard when they click the verification box.
The injected content is a command string that uses the mshta command to retrieve and execute malicious code from attacker-controlled servers.
Multi-stage approach
This technique is particularly effective because it bypasses traditional security measures by relying on social engineering rather than software vulnerabilities.
The persistence mechanism operates through a clever Windows trick. The malicious NetSupport RAT package maintains itself on infected computers by creating a Start Menu shortcut that runs a JavaScript file stored in the AppData\Local\Temp directory.
This JavaScript file then launches the actual NetSupport RAT executable located in the C:\ProgramData\ directory. This multi-stage approach makes detection and removal more challenging for typical users.
What makes SmartApeSG particularly dangerous is the constant evolution of its infrastructure. The domains, command and control servers, and malware packages change nearly daily, making threat intelligence updates critical for security teams.
Organizations should educate users about clicking verification boxes on websites and implement network-level protections to block connections to known malicious domains associated with this campaign.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post SmartApeSG Campaign Leverages ClickFix Technique to Deploy NetSupport RAT appeared first on Cyber Security News.
