Pierluigi Paganini November 21, 2023

Experts warn of a surge in NetSupport RAT attacks against education, government, and business services sectors.

The Carbon Black Managed Detection & Response team is warning of a surge in the number of new infections related to NetSupport RAT in the last few weeks. The most impacted sectors are education, government, and business services.

NetSupport RAT is a remote control and desktop management software developed by NetSupport Ltd. It is designed to facilitate IT administrators and support staff in managing and controlling multiple remote computers from a centralized location. NetSupport Manager allows users to perform various tasks remotely, including troubleshooting, software distribution, system monitoring, and file transfers.

In recent years, multiple threat actors, including the group TA569, have been observed using the software as a Remote Access Trojan (RAT). The software was delivered through fraudulent updates, drive-by downloads, malware loaders (i.e. GhostPulse), and other forms of phishing campaigns.

Carbon Black researchers observed threat actors using older variations of NetSupport RAT, which used .BAT and .VBS files as decoys. The researchers did not observe newer variants utilizing older methods.

In the attacks detected by Carbon Black, NetSupport RAT was distributed through fake browser updates.

“In recent attacks, the NetSupport RAT has been observed to be downloaded onto a victim’s computer via deceptive websites and fake browser updates.” reads the analysis published by Carbon Black Managed Detection & Response team.

“The following infection showcases the victim getting tricked into downloading a fake browser update after visiting a compromised website.  These infected websites host a PHP script which displays a seemingly authentic update.  When the victim clicks on the download link, an additional Javascript payload is downloaded onto the endpoint.”

Upon downloading the Javascript (“Update_browser_10.6336.js“) it retrieves and execute a Powershell from an external domain (i.e. implacavelvideos[.]com). The Powershell is used to retrieve a ZIP archive containing NetSupport RAT that.

“Multiple NetSupport dependencies/DLL’s as well as the NetSupport Manager are contained within this decompressed file.” concludes the report published by Carbon Black that also includes Indicators of Compromise (IOC).”Once installed on a victim’s device, NetSupport is able to monitor behavior, transfer files, manipulate computer settings, and move to other devices within the network.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NetSupport RAT)