A group of GrayCharlie hackers shot JavaScript. Put it...

A group of GrayCharlie hackers fired JavaScript into the Wordpress website to release NetSupport RAT malware.

Website building platforms like Wordpress, while popular, are always targeted by hackers for hacking or embedding malware, and this time websites built on Wordpress are targeted again.

According to a report by the website, Cyber Security News mentioned the detection of a GrayCharlie hacker campaign, which launched an attack on a Wordpress-based website in 2023 with the implantation of an embeded JavaScript script on the site with the aim of releasing a malware type that remotely controls the victim's machine, or a RAT (Remote Access Trojan) called NetSupport RAT, and a malware type that steals data from the victim's machine, or an Infostealer named Stealc, as well as in the latter, another RAT type of malware was introduced into the campaign.

The technique used by the hacker group is to write a script to "tag" to the Document Object Model (DOM) on the target website. This tag points to JavaScript outside the web hosted on the hacker's server. If the victim opens a website that has been attacked by the hacker, the script checks which web browser and operating system the victim is using. If the script matches the script, it sends the victim to the next step, it attacks the victim by using a fake error alert to trick the victim into running a malware installation command or ClickFix with a fake CaptCha, and another way. One is to trick the victim into installing a fake web browser update, both of which lead to the installation of both malware.

A review by a research team from Recorded Future, an expert company developing cyber detectors, found that the backyard infrastructure, or Backend Infrastructure of the campaign, is using MivoCloud's cloud services and HZ Hosting Ltd's hosting services as part of the infrastructure system, and that the cluster (Cluster), the control server (C2 or Command and Control) of NetSupport RAT malware has been used to release deware (Deploy) since 2025. 2568) By examining the naming method of the TLC Certificate, License Key, and Serial Number associated with this infrastructure. In the area of communication of the C2 server, it is contacted through TCP port 443 with the SSH protocol. It allows data traffic to be camouflaged. It is not noticeable.

In the field of work of this campaign, the details are different in how to deceive the victims:

Fake Web Browser Update Scam: After the victim has logged into the website and installed a fake web browser update in JavaScript format, the WScript script will run PowerShell to download and unload the malware (Payload) files of the NetSupport RAT malware to the AppData folder.

ClickFix: After the victim places the command on Run and presses Enter, it downloads the Batch script file (.Bat) and then writes the Key Run in the Registry to guarantee that the malware will continue to work on the system (Persistence) every time it is rebooted, then contacts the C2 server, runs the System Reconnaissance tool, and ultimately releases the SectopRAT malware payload.

# Trending # Lemon 8 Howtoo # lemon 8 diary # freedomhack # Drug sign with lemon8