NetSupport RAT Uses Social Engineering Toolkits

Cyble Research & Intelligence Labs noticed threat actors using Fake Browser Update, SocGholish to deliver the NetSupport RAT.

SocGholish is active since 2017. It is a JavaScript malware framework where “Soc” refers to the use of social engineering toolkits masquerading as software updates to deploy malware on a victim’s system

Researchers pointed out that this malware campaign uses various ‘Social Engineering’ themes that imitate browser and program updates which include Chrome/Firefox, Flash Player, and Microsoft Teams.

Drive-By-Download Mechanism

The threat actors allegedly lured users to a Chrome update using a drive-by-download mechanism. Attackers host a malicious website (the site displays content to lure end-users with critical browser updates) implements drive-by-download mechanism to download an archive file that contains malware.

EHA
https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/09/Figure-1-Infection-chain-of-SocGholish.jpg?resize=982%2C250&ssl=1
Infection chain of SocGholish

Once downloaded, the threat actor deployed an array of trojan and malware attacks, such as Cobalt Strike framework, ransomware, and others.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/09/Figure-2-%E2%80%93-Fake-update-page-of-Chrome-browser.jpg?resize=908%2C772&ssl=1
Fake update page of Chrome browser

Upon clicking the “Update” button on the fake page, an archive file named “Сhrome.Updаte.zip” is downloaded and saved in the “Downloads” folder. Also, downloaded zip archive file contains a heavily-obfuscated JavaScript file named “AutoUpdater.js”.

Researchers say after the execution of the JavaScript file, it launches a PowerShell command to download and execute an additional PowerShell script from the remote server.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/09/Figure-4-PowerShell-Script-to-drop-NetSupport-RAT.jpg?resize=988%2C432&ssl=1
PowerShell Script to drop NetSupport RAT

NetSupport Manager is a commercially available RAT (Remote Administration Tool) used for legitimate reasons that gives administrators remote access to user’s computers. But TAs utilizes NetSupport Manager as their primary tool to target victims using remote access.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/09/Figure-5-NetSupport-RAT-malware-package-dropped-under-the-AppData-directory.jpg?resize=958%2C461&ssl=1

NetSupport RAT malware package dropped under the %AppData% directory

It is always worthwhile to confirm whether the downloaded content originated from a legitimate source and not from any suspicious sites.

Recommendations

  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Avoid downloading files from unknown websites.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Block URLs that could spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.