blogs.vmware.com Open in urlscan Pro
2a02:26f0:480:591::2ef  Public Scan

URL: https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html
Submission: On November 23 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://blogs.vmware.com/security/

<form class="search-form" method="get" action="https://blogs.vmware.com/security/">
  <label class="sr-only" for="s">Search</label>
  <input class="search-field" placeholder="Search" name="s">
  <input type="submit" value="Submit Search" class="search-submit btn">
</form>

Text Content

Menu VMware Security Blog
Search
Search
 * VMware Blogs
 * Communities
 * Tech Zone

 * RSS

 * Featured
   
   Announcements
   
   
   WHY CISOS SHOULD INVEST MORE INSIDE THEIR INFRASTRUCTURE
   
   Tom Gillis June 2, 2022 5 min read
   Threat Analysis Unit
   
   
   SERPENT - THE BACKDOOR THAT HIDES IN PLAIN SIGHT
   
   Threat Analysis Unit April 25, 2022 11 min read
   Executive Viewpoint
   
   
   HOW NOT TO BUILD A SOC
   
   Martin Holzworth April 18, 2022 14 min read
   Executive Viewpoint
   
   
   PODCAST: DISCUSSING THE LATEST SECURITY THREATS AND THREAT ACTORS - TOM
   KELLERMANN (VIRTUALLY SPEAKING)
   
   Editorial Staff April 13, 2022 1 min read
 * CategoriesToggle submenu
   
   * Announcements
   * Executive Viewpoint
   * Multi-Cloud Security
   * Modern Apps Security
   * Workload Security
   * Endpoint Security
   * Network Security
   * Threat Analysis Unit
   * VMware Security Response Center
 * VMware Security
   
 * Get A Demo
   


 * RSS


Misc Threat Analysis Unit Threat Intelligence


NETSUPPORT RAT: THE RAT KING RETURNS

Alan Ngo, Abe Schneider, Fae Carlisle November 20, 2023 18 min read
Share on:
 * Share on Twitter
 * Share on LinkedIn
 * Share on Facebook
 * Share on Reddit
 * Email this post
 * Copy Link

Authors: Alex Murillo, Alan Ngo, Abe Schneider, Fae Carlisle

Contributors: Nikki Benoit





EXECUTIVE SUMMARY

For years, threat actors have been using legitimate software for illegitimate or
malicious purposes.  One such software is NetSupport Manager – a remote control
application used for remote systems management.  In recent years, however,
threat actors have repurposed this software as a Remote Access Trojan (RAT) to
infiltrate systems and utilize them as a launching point for subsequent attacks.

The Carbon Black Managed Detection & Response team, in collaboration with our
Threat Analysis Unit, has observed over 15 new infections related to NetSupport
RAT in the last few weeks. From the increase we noticed that the majority of the
infections were from the Education, Government, and Business Services sectors.
In this article we will delve into our methods for detecting and preventing this
malware, along with providing valuable insights and resources for defenders.





HISTORY

NetSupport Manager began as genuine software 30 years ago for remote technical
support use.  The tool allowed file transfers, support chat, inventory
management, and remote access.  While it is legitimate software, threat actors
have been using it in recent years as a Remote Access Trojan (RAT) – most
notably spread in 2020 via a massive COVID-19 phishing campaign.  The delivery
mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by
downloads, utilization of malware loaders (such as GhostPulse), and various
forms of phishing campaigns.

Due to its legitimate nature and widespread availability, NetSupport Manager is
not exclusive to a singular threat actor.  Multiple malicious entities,
including the notorious TA569 – recognized for its SocGholish malware,
incorporate this tool into their arsenal.  Its accessibility renders it
susceptible to use by a spectrum of threat actors, ranging from novice hackers
to sophisticated adversaries.

Older variations of NetSupport RAT were seen utilizing .BAT and .VBS files,
often used as decoys.  Only one of the many BAT files being dropped would be
responsible for executing the RAT and establishing persistence.  We have not
observed these newer variants utilizing older methods.

 


CARBON BLACK DETECTION & ATTACK CHAIN 

In recent attacks, the NetSupport RAT has been observed to be downloaded onto a
victim’s computer via deceptive websites and fake browser updates.  Initial
infection, however, can vary depending on the threat actor.

The following infection showcases the victim getting tricked into downloading a
fake browser update after visiting a compromised website.  These infected
websites host a PHP script which displays a seemingly authentic update.  When
the victim clicks on the download link, an additional Javascript payload is
downloaded onto the endpoint.



Figure 1: Fake chrome browser update presented to victim

 

In this example, Update_browser_10.6336.js is the downloaded payload from the
fake browser update and can be seen making external network connections to
implacavelvideos[.]com



Figure 2: Update_browser_10.6336.js establishing connection to
implacavelvideos[.]com

 

Update_browser_10.6336.js then invokes powershell.exe to execute obfuscated
commands which then connects to kgscrew[.]com 



Figure 3: Obfuscated Powershell Command 

 

Powershell.exe is then utilized to pass a Base64 snippet in memory, then decodes
and stores the contents in a file called p.zip.

The contents of p.zip are then extracted into the directory:
\appdata\roaming\divx-429\





Figure 4: PowerShell connecting to the C2 for additional payload and p.zip
download.

 

Multiple NetSupport dependencies/DLL’s as well as the NetSupport Manager are
contained within this decompressed file.

 

Once installed on a victim’s device, NetSupport is able to monitor behavior,
transfer files, manipulate computer settings, and move to other devices within
the network.

 



Figure 5: Numerous NetSupport files being dropped after the connection to
kgscrew[.]com

 

Persistence is then established by adding client32.exe to the HKCU Run registry
key in:

\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIVXX or
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIVX

 



Figure 6: PowerShell creates persistence in HKCU run registry

 

PowerShell is then utilized to invoke the NetSupport application, client32.exe,
which is then used to make a connection to Netsupport RAT’s Command and Control
server at 5.252.177[.]111(sdjfnvnbbz[.]pw) by executing the PowerShell script
which is broken down in detail below.



Figure 7:  client32.exe connecting to sdjfnvnbbz[.]pw 

 


POWERSHELL BREAKDOWN 

 



Figure 8: MDR analyst triage

 

When the MDR team received this alert we observed a powershell.exe process with
a very suspicious command line.  Given that the .JS file was also named
“update_browser_10.6336.js”, we immediately identified this as NetSupport RAT.

 

Further reviewing the command line, we identify a URL that gets passed to the
DownloadString function to download additional payloads.  In this particular
attack, it’s hXXps://gamefllix[.]com/111.php?9279.



Figure 9: PowerShell command showing the gameflix[.]com/111 DownloadsString

 


REVERSE ENGINEERING POWERSHELL

 

When an affected endpoint makes a network connection to the compromised URL, the
payload is downloaded; observed in Figure 10.  The downloaded payload is the GET
response of the obfuscated script from the compromised URL
(gamefllix.com/111.php). 



Figure 10: HTTP GET Response from gamefllix[.]com/111.php

 

Figure 10 shows the partial script as the full script is too long to share as an
image in this article – with over 4.5 million characters.  It appears to be
base64 encoded so the next step is to see what it is doing using CyberChef in an
attempt to decode it.  Unfortunately, the output appears unreadable.  It was
also observed that the PK header at the beginning of the file was identified as
a ZIP archive.

 

A few file names are seen, such as CacheMD5.dat, CacheURL.dat, client32.exe, as
well as an additional URL from the CyberChef output screenshot below.



Figure 11: CyberChef Base64 decode

 

We took the base64 encoded contents from gamefllix[.]com and used PowerShell in
a secured environment to reconstruct the ZIP archive with a simple custom
script.



Figure 12: .zip file contents

 

From these reconstructed files, we can obtain additional information, such as
Client32.ini, that contains a GatewayAddress (observed in Figure 7) when
client32.exe established a network connection on port 443 using the RADIUSSecret
for authentication.



Figure 13: Client32.ini contents

 

NetSupport Licensing information was gathered from the file named NSM.LIC.  The
name HANEYMANEY (observed in Figure 14 under the licensee field) has been
observed by a threat actor labeled TA569 – who also has a history of delivering
payloads via fake browser updates.   This could be a case of a compromised and
leaked license for NetSupport Manager.  There may not be a direct correlation,
but the behavior is suspicious at best.



Figure 14: NetSupport Licensing Information

 


SUMMARY

 

Despite a surge in activity, the Carbon Black MDR team remains vigilant against
NetSupport RAT.  Our team is experienced at detecting and responding to this
threat, effectively stopping the attack before it can escalate.  Carbon Black is
effective against NetSupport RAT due to its advanced detection and response
capabilities including:

 

 * Behavioral Analysis: Carbon Black uses behavioral analysis techniques to
   identify suspicious activities and behaviors associated with NetSupport RAT. 
   This proactive approach allows it to detect new and evolving threats,
   including those leveraging NetSupport RAT.

 

 * Threat Intelligence: Carbon Black integrates threat intelligence feeds into
   its detection algorithms.  This means it can recognize known indicators of
   compromise associated with NetSupport RAT, enabling quick identification and
   mitigation of infected systems.

 

 * Endpoint Security: Carbon Black provides robust endpoint security features,
   ensuring that devices are protected at the point of entry.  It can block
   malicious websites and prevent the execution of malicious files, thwarting
   attempts to download and install NetSupport RAT.

 

 * Real-time Monitoring: Carbon Black offers real-time monitoring and response
   capabilities.  It can detect suspicious activities in real-time, allowing
   security teams to respond promptly to potential NetSupport RAT infections,
   minimizing the damage caused by the malware.

 

 * Incident Response: In case of a NetSupport RAT infection, Carbon Black
   facilitates efficient incident response.  It provides detailed insights into
   the attack, helping security teams understand the extent of the compromise
   and take appropriate actions to remediate the situation.

 

 * Continuous Updates: Carbon Black regularly updates its threat intelligence
   databases and detection algorithms.  This ensures that the system is equipped
   to detect new variants of NetSupport RAT and other emerging threats
   effectively.

 

By leveraging these features, Carbon Black enhances organizations’ security
posture, making it challenging for threat actors to successfully operate the
NetSupport RAT within their networks or escalate the attack. 

 


SEARCH QUERIES:

 

 * process_name:*\\appdata\\roaming\\*\\ctfmon.exe OR process_name:*\\appdata\\roaming\\*\\whost.exe OR process_name:*\\appdata\\roaming\\*\\client32.exe OR childproc_name:*\\appdata\\roaming\\*\\ctfmon.exe OR childproc_name:*\\appdata\\roaming\\*\\whost.exe OR childproc_name:*\\appdata\\roaming\\*\\client32.exe

 * filemod_name:\\appdata\\roaming\\divx*\\

 * netconn_domain:kgscrew.com OR gamefllix.com

 


INDICATORS OF COMPROMISE (IOC)

 


HASHES

Name

SHA256 Hash

p.zip

c5c974b3315602ffaab9066aeaac3a55510db469b483cb85f6c591e948d16cfe

p.zip

8c9cd7a1ac6d4cbc641b31a3c55fde5e0e5a48c9bdaf71a59a2c4c9fd98ff9e7

update_browser_10.6336.js

46bb795f28ef33412b83542c88ef17d2a2a207ad3a927ecb4678b4ac9c5a05a5

CacheURL.dat

54b920f5b87019fcf313bec4d9f4639a932b8268e5183b29804e91e29ed6f726

client32.exe

213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

client32.exe

89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

Client32.ini 

28208baa507b260c2df6637427de82ad0423c20e2bceceb92ba5d76074dcd347

HTCTL32.DLL 

3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

HTML_Obj_list.txt 

e3665d8c5030be81a6955965c2928564fe922b9a21f9e712580d04825fa0adf1

nskbfltr.inf 

d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368

NSM.ini 

60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92

NSM.LIC 

f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

nsm_vpro.ini 

4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b

pcicapi.dll

2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

PCICHEK.DLL 

956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

PCICL32.DLL 

38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

putty.exe 

fc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c

remcmdstub.exe 

fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814

whost.exe

b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad

TCCTL32.DLL 

6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea

rot-13.pscript 

2e4bd5557aedd1743da5fab1b6995fbc447d6e9491d9ec59fa93ab889d8bccd1

 

IPs/Domains

https://magydostravel[.]com/cdn/zwmrqqgqnaww[.]php

5.252.177[.]111

sdjfnvnbbz[.]pw:443

91.219.150[.]64

https://gamefllix[.]com/111[.]php[?]9279

arauas[.]com

91.19.150[.]63

 


MITRE ATT&CK TIDS

 

TID

Tactics

Technique

T1204.002

Execution

User Execution: Malicious File

T1059.001

Execution

Command and Scripting Interpreter: PowerShell

T1055

Privilege Escalation

Process Injection

T1027

Defense Evasion

Obfuscated Files or Information

T1041

Exfiltration

Exfiltration Over C2 Channel

T1074.001

Collection

Data Staged: Local Data Staging

T1547.001

Persistence, Privilege Escalation

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1057

Discovery

Process Discovery

 

ALAN NGO



ABE SCHNEIDER



FAE CARLISLE




RELATED ARTICLES

Misc


JUPYTER RISING: AN UPDATE ON JUPYTER INFOSTEALER

Swee Lai Lee, Bria Beathley, Abe Schneider, Alan N ... Swee Lai Lee, Bria
Beathley, Abe Schneider, Alan Ngo, Sean McKnight November 6, 2023 18 min read
Threat Analysis Unit


AN ILUMMANATION ON LUMMASTEALER

Fae Carlisle, Bria Beathley, Samantha Saltzman, Ad ... Fae Carlisle, Bria
Beathley, Samantha Saltzman, Adelin Grema, Alan Ngo October 18, 2023 27 min read
Threat Analysis Unit


8BASE RANSOMWARE: A HEAVY HITTING PLAYER

Deborah Snyder, Fae Carlisle, Dana Behling, Bria B ... Deborah Snyder, Fae
Carlisle, Dana Behling, Bria Beathley June 28, 2023 18 min read




×


Company

 * About Us
 * Executive Leadership
 * News & Stories
 * Investor Relations
 * Customer Stories
 * Diversity, Equity & Inclusion
 * Environment, Social & Governance
 * AI at VMware

 * Careers
 * Blogs
 * Communities
 * Acquisitions
 * Office Locations
 * VMware Cloud Trust Center
 * COVID-19 Resources

Support

 * VMware Customer Connect
 * Support Policies
 * Product Documentation
 * Compatibility Guide
 * Terms & Conditions
 * California Transparency Act Statement
 * Hands-on Labs & Trials

 * Twitter
 * YouTube
 * Facebook
 * LinkedIn
 * Contact Sales

--------------------------------------------------------------------------------

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers
to Broadcom Inc. and/or its subsidiaries. Terms of Use Your California Privacy
Rights Privacy Accessibility Trademarks Glossary Help Feedback


Cookies Settings


WE CARE ABOUT YOUR PRIVACY

We use cookies to provide you with the best experience on our website, to
improve usability and performance and thereby improve what we offer to you. Our
website may also use third-party cookies to display advertising that is more
relevant to you. If you want to know more about how we use cookies, please see
our Cookie Policy.
Cookies Settings Reject All Accept All Cookies



COOKIE PREFERENCE CENTER




 * GENERAL INFORMATION ON COOKIES


 * STRICTLY NECESSARY


 * PERFORMANCE


 * FUNCTIONAL


 * ADVERTISING

GENERAL INFORMATION ON COOKIES

When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.

STRICTLY NECESSARY

Always Active

Strictly necessary cookies are always enabled since they are essential for our
website to function. They enable core functionality such as security, network
management, and website accessibility. You can set your browser to block or
alert you about these cookies, but this may affect how the website functions.
For more information please visit www.aboutcookies.org or
www.allaboutcookies.org.

Cookies Details‎

PERFORMANCE

Performance


Performance cookies are used to analyze the user experience to improve our
website by collecting and reporting information on how you use it. They allow us
to know which pages are the most and least popular, see how visitors move around
the site, optimize our website and make it easier to navigate.

Cookies Details‎

FUNCTIONAL

Functional


Functional cookies help us keep track of your past browsing choices so we can
improve usability and customize your experience. These cookies enable the
website to remember your preferred settings, language preferences, location and
other customizable elements such as font or text size. If you do not allow these
cookies, then some or all of these services may not function properly.

Cookies Details‎

ADVERTISING

Advertising


Advertising cookies are used to send you relevant advertising and promotional
information. They may be set through our site by third parties to build a
profile of your interests and show you relevant advertisements on other sites.
These cookies do not directly store personal information, but their function is
based on uniquely identifying your browser and internet device.

Cookies Details‎
Back Button


COOKIE LIST

Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Clear
checkbox label label
Apply Cancel
Confirm My Choices
Reject All Allow All

word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word

mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1