The emergence of a highly obfuscated .NET-based Remote Access Trojan (RAT) known as sectopRAT, disguised as a legitimate Google Chrome extension has been revealed in a recent analysis.
This malicious software, also identified as Arechclient2, demonstrates advanced obfuscation techniques and sophisticated functionalities aimed at data theft.
SectopRAT is written in .NET and employs the calli obfuscator, a technique that complicates reverse engineering by obscuring the code’s logic.
sectopRAT identified using Detect It Easy (Source – Malwr-Analysis)
Despite attempts to deobfuscate the malware using tools like CalliFixer, the code remained challenging to analyze.
Attempts to deobfuscate the code using CalliFixer (Source – Malwr-Analysis)
The sample analyzed had notable characteristics, including a file hash of EED3542190002FFB5AE2764B3BA7393B and a file size of 768KB. It was detected by 61 out of 72 antivirus engines on VirusTotal.
Upon execution, sectopRAT connects to a Command and Control (C2) server at 91.202.233.18 over ports 9000 and 15647, enabling remote attackers to control infected systems.
Here the Malware Analyst, Anurag from Malwr-Analysis noted that the malware masquerades as a Google Chrome extension named “Google Docs,” deceiving users into installing it.
Dynamic Analysis: Malicious Chrome Extension
The malicious extension consists of three key files: manifest.json, content.js, and background.js. These components work together to perform data exfiltration.
The manifest.json file declares the extension’s name and permissions, misleadingly claiming to provide offline editing for Google Docs while granting extensive permissions that allow script injection across all web pages.
Malicious Chrome Extension Disguised as Google Docs (Source – Malwr-Analysis)
The content.js script injects event listeners into every webpage visited by the user, capturing sensitive inputs such as usernames, passwords, credit card details, and form data.
Decompiled code (Source – Malwr-Analysis)
Meanwhile, background.js functions as an intermediary to bypass browser security policies, transmitting the stolen data from content.js to the command-and-control (C2) server.
The extension’s behavior was observed during sandbox analysis, where it monitored user input fields across websites and relayed the captured data to the attacker-controlled server.
SectopRAT’s ability to masquerade as a legitimate Chrome extension which shows the increasing sophistication of browser-based threats.
With capabilities to extract stored credentials, monitor user activity, and exfiltrate sensitive data, it poses a significant cybersecurity risk.
To mitigate this threat, network traffic to 91.202.233.18 should be blocked, installed browser extensions should be regularly audited, behavioral-based threat detection tools should be employed, and the execution of untrusted .NET applications should be restricted.
IOCs
The following indicators of compromise (IoCs) were identified:-
- C2 Server: 91.202.233.18
- File Hash: EED3542190002FFB5AE2764B3BA7393B
- Malicious URL: https://pastebin.com/raw/wikwTRQc
