Crooks distribute malware masquerade as fake software updates and use NetSupport RAT

Researchers at FireEye have spotted a hacking campaign leveraging compromised websites to spread fake updates for popular software that were also used to deliver the NetSupport Manager RAT.

NetSupport is an off-the-shelf RAT that could be used by system admins for remote administration of computers. In the past, crooks abuse this legitimate application to deploy malware on victim’s machines.

Researchers at FireEye have spotted a hacking campaign that has been active for the past few months and that has been leveraging compromised websites to spread fake updates for popular software (i.e. Adobe Flash, Chrome, and FireFox) that were also used to deliver the NetSupport Manager remote access tool (RAT).

Once the victims have executed the updates, a malicious JavaScript file is downloaded, in most cases from a Dropbox link.

“Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool (RAT).” reads the analysis published by FireEye. 

“The operator behind these campaigns uses compromised sites to spread fake updates masquerading as Adobe Flash, Chrome, and FireFox updates.”

The JavaScript file gathers info on the target machine and sends it to the server that in turn sends additional commands, then it executes a JavaScript to deliver the final payload. The JavaScript that delivers the final payload is dubbed Update.js, it is executed from %AppData% with the help of wscript.exe.

“since the malware uses the caller and callee function code to derive the key, if the analyst adds or removes anything from the first or second layer script, the script will not be able to retrieve the key and will terminate with an exception.” continue the analysis.

Once executed, the JavaScript contacts the command and control (C&C) server and sends a value named ‘tid’ and the current date of the system in an encoded format, the server, in turn, provides a response that the script then decodes and executes it as a function named step2.

The step2 function collects and encodes various system information, then sends it to the server: architecture, computer name, user name, processors, OS, domain, manufacturer, model, BIOS version, anti-spyware product, anti-virus product, MAC address, keyboard, pointing device, display controller configuration, and process list.

The server then responds with a function named step3 and Update.js, which it the script to downloads and executes the final payload.

The Javascript uses PowerShell commands to download multiple files from the server, including:

• 7za.exe: 7zip standalone executable
• LogList.rtf: Password-protected archive file
• Upd.cmd: Batch script to install the NetSupport Client
• Downloads.txt: List of IPs (possibly the infected systems)
• Get.php: Downloads LogList.rtf

The script performs the following tasks:

1. Extract the archive using the 7zip executable with the password mentioned in the script.
2. After extraction, delete the downloaded archive file (loglist.rtf).
3. Disable Windows Error Reporting and App Compatibility.
4. Add the remote control client executable to the firewall’s allowed program list.
5. Run remote control tool (client32.exe).
6. Add Run registry entry with the name “ManifestStore” or downloads shortcut file to Startup folder.
7. Hide the files using attributes.
8. Delete all the artifacts (7zip executable, script, archive file).

Attackers use the NetSupport Manager to gain remote access to the compromised systems and control it.

The final JavaScript also downloaded a list of IP addresses that could be compromised systems, most of them in the U.S., Germany, and the Netherlands.

Further details, including the IOCs are reported in the analysis.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – NetSupport RAT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]