Meanwhile, background.js functions as an intermediary to bypass browser security policies, transmitting the stolen data from content.js to the command-and-control (C2) server. The emergence of a highly obfuscated .NET-based Remote Access Trojan (RAT) known as sectopRAT, disguised as a legitimate Google Chrome extension has been revealed in a recent analysis. The malicious extension consists of three key files: manifest.json, content.js, and background.js. These components work together to perform data exfiltration. The content.js script injects event listeners into every webpage visited by the user, capturing sensitive inputs such as usernames, passwords, credit card details, and form data. The manifest.json file declares the extension’s name and permissions, misleadingly claiming to provide offline editing for Google Docs while granting extensive permissions that allow script injection across all web pages. Here the Malware Analyst, Anurag from Malwr-Analysis noted that the malware masquerades as a Google Chrome extension named “Google Docs,” deceiving users into installing it. The extension’s behavior was observed during sandbox analysis, where it monitored user input fields across websites and relayed the captured data to the attacker-controlled server. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. In a sophisticated cyberattack campaign dubbed "StaryDobry," threat actors have exploited popular games to distribute malicious software, targeting users worldwide. Upon execution, sectopRAT connects to a Command and Control (C2) server at 91.202.233.18 over ports 9000 and 15647, enabling remote attackers to control infected systems. This malicious software, also identified as Arechclient2, demonstrates advanced obfuscation techniques and sophisticated functionalities aimed at data theft. With capabilities to extract stored credentials, monitor user activity, and exfiltrate sensitive data, it poses a significant cybersecurity risk. To mitigate this threat, network traffic to 91.202.233.18 should be blocked, installed browser extensions should be regularly audited, behavioral-based threat detection tools should be employed, and the execution of untrusted .NET applications should be restricted. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. SectopRAT’s ability to masquerade as a legitimate Chrome extension which shows the increasing sophistication of browser-based threats.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Feb 2025 21:55:15 +0000