By rssfeeds-admin 
The threat actor’s methods are sophisticated, often utilizing fake browser update prompts or ClickFix pop-ups to deceive
These attacks involve deploying malware such as Stealer and SectopRAT, with the ultimate goal of stealing information and making financial gains.
GrayCharlie’s Infection Chain and Infrastructure
GrayCharlie injects JavaScript links into compromised WordPress sites. Once a user visits these sites, they are redirected to fake browser update pages or ClickFix pop-ups, both of which encourage them to download malicious software.
This software installs NetSupport RAT, which gives attackers full access to the victim’s system, allowing them to monitor activities, capture credentials, and even take control of the infected machine.
Insikt Group has tracked GrayCharlie’s operations and identified a range of infrastructure tied to the group, much of which is hosted by MivoCloud and HZ Hosting Ltd.
These sites serve as command-and-control (C2) servers for NetSupport RAT, alongside other compromised infrastructure. The group has also used these systems to run staging infrastructure that deploys malicious payloads to compromised websites.
One of the most concerning aspects of this campaign is its MFA (Multi-Factor Authentication) bypass.
Since GrayCharlie uses live web pages, users are tricked into entering their credentials into real login forms, bypassing MFA protections.
The attackers capture the session cookies and authentication tokens, effectively neutralizing the extra layer of security.
Attack Chain Analysis
GrayCharlie has been observed using two primary attack chains to deploy NetSupport RAT:
- Fake Browser Update Chain: This method uses compromised websites to display a fake update prompt, leading the user to believe they need to update their browser. Once the user downloads the ” update,” the payload is delivered and executed silently.
- ClickFix Chain: In this variant, users are shown a ClickFix pop-up that instructs them to execute a malicious command from the Windows Run dialog. This technique relies on social engineering to trick victims into running malicious scripts.
Once the malware is installed, it establishes persistence by setting registry keys, ensuring the RAT runs at every system startup.
The attackers then establish a connection with the C2 servers, allowing them to remotely control the system, monitor activities, and exfiltrate data.
To defend against GrayCharlie’s attacks, organizations must block known IP addresses and domains associated with the NetSupport RAT and related malware.
Security teams should deploy updated detection rules such as YARA, Snort, and Sigma to identify and block infections. Monitoring for signs of data exfiltration is also crucial, as attackers frequently send stolen data back to their C2 servers.
Additionally, email filtering and heightened vigilance regarding suspicious links are key strategies to prevent these attacks. Organizations should also educate users about the dangers of fake updates and suspicious pop-ups.
According to Recorded Future, with GrayCharlie’s ongoing activities and increasingly sophisticated tactics, it remains a significant threat to organizations worldwide, especially in industries like legal services, which have been targeted in recent attacks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post GrayCharlie Campaign Compromises WordPress Sites To Spread NetSupport RAT and Steal Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.