Obfuscated .NET sectopRAT mimics a Chrome extension

Home/google, Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update/Obfuscated .NET sectopRAT mimics a Chrome extension

Obfuscated .NET sectopRAT mimics a Chrome extension

SectopRAT (Arechclient2) is a highly obfuscated .NET-based Remote Access Trojan (RAT). Researchers recently found it posing as a fake Google Docs Chrome extension, enhancing its stealth and data-theft capabilities.

Obfuscated .NET sectopRAT

SectopRAT uses the calli obfuscator, making static analysis difficult and hiding its core functions. Even with deobfuscation tools like CalliFixer, much of its code remains concealed.

However, researchers identified key capabilities, including stealing browser data (cookies, passwords, autofill info, and encryption keys), profiling victim systems (hardware, OS, installed software), and targeting applications like VPNs (NordVPN, ProtonVPN), game launchers (Steam), and messaging platforms (Telegram, Discord).

It also scans for cryptocurrency wallets and FTP credentials, functioning as both an infostealer and a remote access tool. SectopRAT communicates with its C2 server over encrypted channels, primarily using ports 9000 and 15647.

A major concern in this campaign is sectopRAT’s fake Chrome extension, disguised as “Google Docs.”

Once installed, the malware downloads manifest.json, content.js, and background.js from its C2 server, allowing it to:

  • Inject malicious scripts into visited web pages.
  • Capture user inputs like usernames, passwords, and credit card details.
  • Send stolen data to the attacker’s C2 server.

Though it appears to offer offline editing for Google Docs, it actually functions as a keylogger and data theft tool.

SectopRAT’s ability to mimic legitimate software while avoiding detection is a serious threat. Its anti-analysis features, including anti-VM techniques and encrypted C2 communication, make it difficult to detect.

Mitigation

  • Block traffic to known C2 servers.
  • Monitor suspicious files in %AppData%/Local/llg.
  • Remove unknown Chrome extensions.
  • Use behavioral-based threat detection.
  • Restrict untrusted .NET applications.

IOCs

  • File Hash: EED3542190002FFB5AE2764B3BA7393B
  • C2 Servers: 91.202.233.18 on ports 9000 and 15647
  • Malicious URLshttp://91.202.233[.]18/wbinjget?q=... and https://pastebin.com/raw/wikwTRQc
  • Mutex Name: 49c5e6d7577e447ba2f4d6747f56c473

This campaign highlights how cybercriminals exploit trusted platforms like browsers to spread stealthy malware. Strong security measures and vigilance are key to defense.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 74
By | 2025-02-18T23:20:31+05:30 February 18th, 2025|google, Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!