Arechclient2 Malware Analysis (sectopRAT)
Researchers at Malwr-Analysis have uncovered details of a new campaign that is infecting end users with Arechclient2 (aka sectopRAT), a highly obfuscated .NET-based Remote Access Trojan. SectopRAT is being disguised as a legitimate Google Chrome extension, “Google Docs,” for propagation. In this case, the malicious extension consists of three primary files, manifest.json, content.js, and background.js, that enable data exfiltration on the targeted system. Manifest.json falsely claims to offer offline editing for Google Docs while granting broad permissions to inject scripts across all web pages. Content.js script monitors user interactions, capturing sensitive information like usernames, passwords, and credit card details, whereas background.js is capable of bypassing browser security measures and transmitting the stolen data to a C2 server.
Security Officer Comments:
SectopRAT employs the calli obfuscator, a technique designed to obscure the code’s logic and complicate reverse engineering. Despite efforts to deobfuscate the malware using tools like CalliFixer, researchers note that the the code remained largely obscured, though it was still partially readable using dnSpy. Upon decompiling the code, researchers identified several key functionalities. These include scanning for and gathering information on installed web browsers, extensions, and stored credentials; extracting cookies, usernames, passwords, and autofill data; and detecting installed VPN services like NordVPN and ProtonVPN. Additionally, the malware collects system information, including hardware details and OS specifications, searches for configurations related to game launchers, Telegram, and Discord, scans for FTP connections and stored credentials, and looks for wallet configurations, suggesting a potential interest in cryptocurrency theft.
Suggested Corrections:
Recommendations from Malwr-Analysis:
Link(s):
https://malwr-analysis.com/2025/02/18/arechclient2-malware-analysis-sectoprat/