SecTopRAT: A Dangerous Remote Access Trojan Spreading Through Google Fake Ads
SecTopRAT is a type of Remote Access Trojan (RAT) that gives attackers unauthorized access to a victim’s system. It allows them to execute commands, steal sensitive data, and even take full control of the infected device. This malware is often spread through malicious software bundles, phishing emails, or deceptive ads, such as fake Chrome installers promoted via Google Ads.
Cybercriminals are misusing Google Ads to distribute malware, tricking users into downloading fake Chrome installers from fraudulent Google Sites pages. These pages serve as intermediaries, delivering SecTopRAT or other malicious payloads to unsuspecting victims.
This tactic is similar to past large-scale phishing attacks targeting Google accounts, showing how attackers continuously refine their methods to exploit trusted platforms. To stay safe, users should be cautious when clicking on sponsored ads and only download software from official sources.
Cybercriminals are abusing Google Ads to distribute SecTopRAT by promoting a fake Chrome installer via a fraudulent website (https://chrome.browser.com.de) in Figure 1. Unsuspecting users who download googlechrome.exe from this site risk malware infection and system compromise.
In-Depth Analysis of Malware: A Comprehensive Breakdown
Now, let’s dive deep into a thorough analysis of these malware, examining their behaviour, impact, and mitigation strategies in detail.
Load the downloaded googlechrome.exe (w.dat) file into DIE (Detect It Easy), which indicates that the file is packed and contains an unusual overlay. As shown in Figure 2, the highlighted overlay details reveal a starting offset of 0x0081FE00 and a size of 0x980F74D in DIE.
Open googlechrome.exe (w.dat) in HxD and press Ctrl + E to select a block of data. Enter the start offset as 0x81FE00 and the length as 0x980F74. After selecting the block, copy it and paste it into a new HxD window.
After copying the selected block, remove the zero-padded data before the “4D 5A” (MZ header) in HxD. Once cleaned, save the file.
Next Phase:
Open the extracted overlay file, which indicates that it is a .NET malware. This file also has an unusual overlay, with a starting offset of 0x2E00 and a size of 0x97DF75. Extract the overlay file in HxD by selecting the start offset and size, copying the block, pasting it into a new HxD window, removing data before “4D 5A”, and saving the file.
By clicking on the Entropy option, the file shows high entropy, indicating that it is packed.
By clicking on the Overlay option and scrolling down to 0x200, another “MZ” header can be seen, indicating the presence of another file within the overlay.
Phase 3:
Open the extracted overlay file from googlechrome.exe in dnSpy, then right-click and select “Go to Entry Point”, scroll up see able to find link as shown in the figure above.
The OnStartup() method is triggered when the application starts. It calls RunApplicationAsync(), which is responsible for fetching and executing the remote script. If an exception occurs, the program ensures that the MainWindow UI is displayed, possibly to mislead the user into thinking the application is a legitimate program. This behavior suggests an attempt to hide malicious activity behind a decoy interface.
This asynchronous function (RunApplicationAsync()) tries to retrieve a remote script from hxxxs://launchapps[.]site/getCode[.]php. If the fetched content is empty or an error occurs, the application opens a window (MainWindow) to maintain a legitimate appearance. Otherwise, if a script is successfully downloaded, the function calls ExecuteCodeAsync(), which runs the fetched script on the machine. This function effectively turns the application into a Remote Access Trojan (RAT), allowing attackers to send and execute new payloads dynamically.
This function establishes a connection to the remote server (hxxxs://launchapps[.]site/getCode[.]php) using HttpClient. If the request is successful, it returns the server’s response as a string, which is expected to be a script to execute. If the server fails to respond or returns an error, the function simply returns null. This function enables command-and-control (C2) communication, meaning that attackers can update the malicious script at any time without modifying the original malware.
The next step in our analysis is to examine the payload retrieved from hxxxs://launchapps[.]site/getCode[.]php. By manually entering the URL in a browser, we were able to obtain the payload for further investigation.
The IsRunAsAdministrator() function checks if the script is running with administrative privileges. If not, it restarts itself with elevated privileges using cmd.exe and runas verb.
The AddAppDataToDefenderExclusions() function adds the AppData folder to Windows Defender exclusions using PowerShell.This ensures that any malicious files stored in AppData\BackupWin are not detected by antivirus scans.
The script fetches an encrypted payload from hxxps://launchapps[.]site/3[.]php and decrypts it using AES. The decrypted file is saved as decrypted.exe in AppData\BackupWin and then executed.
The DownloadAndDecryptFileAsync function downloads an encrypted file from a remote server and decrypts it. It first sends a request to the given URL and checks if the response is successful. The response contains an encryption key, an initialization vector (IV), and encrypted data, all in Base64 format. The function then decrypts the data and saves it as decrypted.exe in the BackupWin folder inside AppData. Finally, it runs the decrypted file, which could be used to execute malicious code.
It checks the name of the running process, and if it contains “notion”, “grammarly”, or “chrome”, it downloads legitimate installers from their official sources. This is likely a technique to disguise malicious activity. Apart from the Google Chrome campaign, we also observed similar campaigns targeting Notion, Grammarly, and Chrome.
The ScheduleTask() function creates a scheduled task named BackupWinTask, ensuring that the malware executes on system startup.
Upon accessing hxxxs://launchapps[.]site/3[.]php in a browser, the payload’s first line contains three parts separated by commas: the AES Key, the Initialization Vector (IV), and the encrypted data.
To decrypt the data using CyberChef, follow these steps: Add the “From Base64” and “AES Decrypt” recipes. In the AES Decrypt section, paste the key and IV from the payload. Set the mode to CBC/NoPadding and select Hex as the output format. Paste the encrypted data into the input section. The output should display 4D 5A, indicating an MZ header.
Copy this output and paste it into HxD — this file is decryptor.exe.
